Hi there,
We are writing because we have identified a security vulnerability in ScriptRunner for Jira Server and Data Center which requires an update to fix. This affects all supported versions of ScriptRunner for Jira and we encourage you to update to the latest version of ScriptRunner for Jira as soon as possible.
About the vulnerability
In accordance with Atlassian criteria, we rate this vulnerability as Critical.
The vulnerability was identified during the course of recent internal penetration testing and a fix has been immediately developed and deployed.
Potential exploits of the vulnerability include denial of service, and the unauthorised ability to read contents of files on the filesystem. These can be exploited by any user who can execute a JQL query. If your Jira instance permits anonymous access to issues, this means they can be exploited without a user being logged in.
Based on our investigations, we have not found any evidence of this vulnerability being exploited in either manner.
Fix
Please update your Jira instance to ScriptRunner version 6.40.0 as soon as possible.
Mitigation
If you are unable to update immediately, the `expression` and `aggregateExpressions` functions' plugin module can be disabled through the Manage Apps interface. Please see our documentation for how to disable these functions. We would still encourage you to update as soon as possible after implementing any mitigation.
We take privacy and security incredibly seriously here at Adaptavist. If you have any questions about this matter, please raise a ticket via our support desk, citing SRJIRA-5647.
Kind regards,
Andre Serrano
Lead Product Manager, ScriptRunner
