An HTTP POST made to /rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.
This security vulnerability has been fixed in ScriptRunner 5.6.12 / 22.214.171.124-p5; it is recommended all customers upgrade to 5.6.12+ (or 126.96.36.199+ for ScriptRunner for Bamboo) where possible.
If no firewall is enabled, users must update ScriptRunner to include this security patch.
If you are not able to upgrade to ScriptRunner for Jira version 5.6.12 or higher, then, as a temporary workaround, you can block request to the following endpoint: <base_url>rest/scriptrunner/*/remote-events/*
To verify, check that requests to *<baseurl>rest/scriptrunner/latest/remote-events/ and <baseurl>rest/scriptrunner/1.0/remote-events/ are denied
For more information and examples of how to apply the workaround in Apache or Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy or load-balancer level, please go to http://hub.adaptavist.com/workaround-for-scriptrunner-code-execution-vulnerability.
IMPORTANT: Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the examples as is, with no support and no written or implied warranties.