Atlassian has disclosed an XML External Entity Injection vulnerability in Jira Service Management under ID CVE-2019-13990.
The vulnerability affects both server and data center instances and allows malicious content injection under certain conditions.
The following versions are affected:
|
affected version |
Patch available from |
|
JSM 4.20 |
4.20.26 |
|
JSM 5.4 |
5.4.10 |
|
JSM 5.7 |
5.7.2 |
|
JSM 5.8 |
5.8.2 |
|
JSM 5.9 |
5.9.2 |
|
JSM 5.10 |
5.10.1 |
We therefore recommend that you upgrade your Jira Service Management instances as soon as possible. If this is not possible in the short term, you can also deactivate Assets (formerly Insight Asset Management) as a workaround.
We know how important it is that your data and systems are protected from attackers and would like to help you solve the problem as quickly as possible.