CVE-2017-18113: 
JIRA vulnerability analysis and mitigation

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 contains a Remote Code Execution (RCE) vulnerability identified as CVE-2017-18113. The vulnerability was discovered and disclosed in August 2021, affecting Jira versions from 7.2.0 onwards. This security flaw allows remote attackers to execute arbitrary code if they can convince a system administrator to import a malicious workflow (Jira Advisory).

The vulnerability exists in the DefaultOSWorkflowConfigurator class and allows for various problematic OSWorkflow classes to be used as part of workflows. The issue has a CVSS score of 8.3 (High severity) and is classified under CWE-94 (Improper Control of Generation of Code). The vulnerability specifically relates to unsafe conditions, validators, functions, and registers that are built into the OSWorkflow library and other Jira dependencies (Jira Advisory).

If successfully exploited, the vulnerability allows remote attackers to execute arbitrary code on the affected system. This could potentially lead to complete system compromise, as the code would execute with the same privileges as the Jira application (NVD).

The vulnerability was fully patched in Jira version 8.18.1 and 8.19.0. Workarounds are available in versions 8.5.19+ and 8.13.11+ by enabling the dark feature flag: com.atlassian.jira.security.LegacyJiraTypeResolver.block.unknown.functions.enabled. For Jira 8.18.1 and above, administrators can optionally disable the protection using the dark feature flag: com.atlassian.jira.security.LegacyJiraTypeResolver.WARN_ONLY.enabled (Jira Advisory).