A vulnerability exists within the Scriptrunner expression() JQL function which could allow access to files on the file systems to a user without permission. Most Jira instances will have restrictions on who can run JQL Queries, but in the worst case Jira could be configured to allow anonymous access.

As mitigation the 'expression' and 'aggregateExpression' functions plugin module can be disabled through Manage Apps:

• Scripted JQL Function - expression (scripted-jql-function-expression)
• Scripted JQL Function - aggregateExpression (scripted-jql-function-aggregateExpression)