Important security fix for ScriptRunner for Confluence. Please read.

We are writing to inform you of a security vulnerability recently identified in ScriptRunner for Confluence Server and Data Center. The vulnerability affects all versions of ScriptRunner for Confluence from version 5.1.7 to version 5.6.15 (inclusive)

About the vulnerability

This is a remote code execution vulnerability. A malicious authenticated Confluence user could exploit it to run arbitrary code inside the Confluence instance.

This vulnerability has been rated as Critical according to Atlassian's Severity Levels for Security Issues and was identified as part of an internal security audit of our source code. Once we became aware of the issue, analysis and work towards finding a fix started immediately.

Based on our investigations, we have not found any instances of this vulnerability being exploited.

How to fix the vulnerability

If you are using Confluence 6.6.0 through Confluence 7.0.x, upgrade immediately to ScriptRunner for Confluence version 5.6.16 or higher.

If you are using Confluence 7.1 or higher upgrade immediately to ScriptRunner for Confluence version 5.6.16.1-p5 or higher.

Workaround

We strongly recommend you immediately upgrade your ScriptRunner for Confluence. If you are not able to upgrade immediately, please use this workaround as a temporary solution.

For more details, please read the ticket SRCONF-1097.

If you have any questions, please raise a support request referencing SRCONF-1097.

Sincerely,

Adaptavist Apps Team