During an internal review Adaptavist found a security vulnerability in ScriptRunner for Jira. According to Atlassian's security severity levels this vulnerability is classified as critical. All versions of ScriptRunner for Jira Server 4.0 and above are affected.
We strongly recommend customers update at their earliest opportunity to patch this vulnerability.
How to fix the vulnerability
This vulnerability can be fixed by upgrading ScriptRunner for Jira. Full instructions on how to upgrade an app can be found on Atlassian's support page.
Updates are available for all affected versions. ScriptRunner for Jira Cloud is not affected.
Further details will be released in due course as part of Adaptavist's commitment to responsible disclosure. Adaptavist is committed to providing powerful and secure apps for Atlassian products and we are unaware of any instances of this vulnerability being exploited across our customer base. If you have urgent questions please contact our support team.
- If you have Jira 7.2 or above, upgrade to ScriptRunner for Jira version 5.3.26 or above
- If you have Jira 7.0 or 7.1, upgrade to ScriptRunner for Jira version 220.127.116.11
- If you have Jira 6.4, upgrade to ScriptRunner for Jira version 18.104.22.168
- If you have Jira 6.3.10 to Jira 6.3.15 inclusive, upgrade to ScriptRunner for Jira version 22.214.171.124
- If you have Jira 6.3.0 to 6.3.9 inclusive, upgrade to ScriptRunner for Jira version 126.96.36.199