If you are unable to upgrade your version of ScriptRunner immediately then, as a temporary workaround, you can block requests to the following endpoint:
<base_url>rest/scriptrunner/*/remote-events/
To verify the workaround is applied correctly check that requests to <base_url>rest/scriptrunner/*/remote-events/are denied.
Below are examples of how to apply the workaround in Apache and Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy, load-balancer or application server level.
IMPORTANT: Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the below examples as is, with no support and no written or implied warranties.
Add the following into the .conf file that contains the virtualhost that proxies to the Atlassian application.
<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Require all denied
</LocationMatch>
Example:
<VirtualHost *:80>
ServerName jira.example.com
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass /jira http://ipaddress:8080/jira
ProxyPassReverse /jira http://ipaddress:8080/jira
<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Require all denied
</LocationMatch>
</VirtualHost>
Add the following into the .conf file that contains the virtualhost that proxies to the Atlassian application
<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Order Allow,Deny
Deny from all
</LocationMatch>
Example
<VirtualHost *:80>
ServerName jira.example.com
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass /jira http://ipaddress:8080/jira
ProxyPassReverse /jira http://ipaddress:8080/jira
<LocationMatch "/rest/scriptrunner/.*/remote-events/">
Order Allow,Deny
Deny from all
</LocationMatch>
</VirtualHost>
Redirect requests to /rest/scriptrunner/.*/remote-events/.* to a safe URL
<from>/rest/scriptrunner/.*/remote-events/.*</from>
<to type="temporary-redirect">/</to>
</rule>
Please raise a support request referencing SRPLAT-876.