Critical Security advisory: Vulnerability in ScriptRunner for Jira

Adaptavist identified a vulnerability with ScriptRunner for Jira during the course of recent internal penetration testing and a fix has been immediately developed and deployed.

Potential exploits of the vulnerability include denial of service, and the unauthorized ability to read contents of files on the filesystem. These can be exploited by any user who can execute a JQL query. If your Jira instance permits anonymous access to issues, this means they can be exploited without a user being logged in.

Based on Adaptavist’s investigations, they have not found evidence of this vulnerability being exploited in either manner.

Fix

Please update your Jira instance to ScriptRunner version 6.40.0 as soon as possible.

Mitigation

If you are unable to update immediately, the `expression` and `aggregateExpressions` functions’ plugin module can be disabled through the Manage Apps interface. Please see Adaptavist’s documentation for how to disable these functions. We would still encourage you to update as soon as possible after implementing any mitigation.

Need Help With This?

Give us a call, or request for help here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

SRJIRA-5647