Uploaded image for project: 'SR Platform'
  1. SR Platform
  2. SRPLAT-876

ScriptRunner Remote Events Code Execution Vulnerability

    Details

    • Sprint:
      SR4J Sprint 68, SR4J Sprint 69
    • Critical Points:
      2.7

      Description

      An HTTP POST made to /rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.

      This security vulnerability has been fixed in ScriptRunner 5.6.12 / 5.6.12.1-p5; it is recommended all customers upgrade to 5.6.12+ (or 5.4.19.1+ for ScriptRunner for Bamboo) where possible.

      If no firewall is enabled, users must update ScriptRunner to include this security patch.

      If you are not able to upgrade to ScriptRunner for Jira version 5.6.12 or higher, then, as a temporary workaround, you can block request to the following endpoint: <base_url>rest/scriptrunner/*/remote-events/*

      To verify, check that requests to *<baseurl>rest/scriptrunner/latest/remote-events/ and <baseurl>rest/scriptrunner/1.0/remote-events/ are denied
       
      For more information and examples of how to apply the workaround in Apache or Tomcat by blocking requests to the ScriptRunner Remote Events endpoint at the reverse proxy or load-balancer level, please go to http://hub.adaptavist.com/workaround-for-scriptrunner-code-execution-vulnerability.

      IMPORTANT: Please note that Adaptavist Support does not provide any assistance for configuring reverse proxies. Consequently, we provide the examples as is, with no support and no written or implied warranties.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              rlander Reece Lander
              Reporter:
              aserrano Andre Dario Moreira Serrano
              Votes:
              0 Vote for this issue
              Watchers:
              18 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: