bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Communcation by Vendor


CVE-2021-26068 - Remote Code Execution in Jira Server for Slack

Advisory Release Date

17 Feb 2021, 10 AM PDT


Jira Server for Slack plugin

Affected Versions

All versions < 2.0.15

Fixed Versions




Summary of Vulnerability

This advisory discloses a critical severity security vulnerability in Jira Server for Slack plugin. All versions of this plugin up to and including 2.0.14 are affected by this vulnerability. Jira Server and Data Center instances that don’t have this plugin installed are NOT affected by this vulnerability. By default, this plugin does not come installed in the Jira server and data center instances. However, if you do have this plugin installed in your server or data center instances, upgrade your app/plugin installations to version 2.0.15 immediately to fix this vulnerability. Also, note that this does NOT affect any Jira cloud instances.


There is a remote code execution vulnerability affecting the Jira Server for Slack plugin that can be potentially exploited by any authenticated Jira user by sending malicious payloads to the affected endpoint. In a successful exploitation of this vulnerability, an attacker could potentially execute arbitrary code on the system.

This issue can be tracked here (currently restricted to Atlassian staff):

What You Need to Do

Check whether your Jira server/DC instance has the vulnerable plugin installed or not. To do this, go to your applications and search for “Jira Server for Slack” plugin. If it is installed, check the version. If the version is less than 2.0.15, then the instance is vulnerable.

Upgrading the Plugin

Upgrade the plugin to the latest version. Details on how to update apps can be found here.


If you are unable to upgrade the plugin immediately, then as a temporary workaround, you can:

  • Disable the plugin; or

  • Uninstall the plugin; or

  • Block the /rest/slack/1.0/message/render endpoint from being accessed. This can be achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly (see instructions).

For a full description of the latest version of Jira Server for Slack, see the release notes - You can download the latest version of the plugin from the Atlassian Marketplace.

Page properties



ProductJira Server for Slack (Official)
Marketplace link
Base productJira

Recommendation by bitvoodoo

  • Upgrade to version 2.0.15 of the app

If you need any assistance please contact our Support Team.

bitvoodoo Advisories BVADVIS