We're making steps towards verifiably secure installation directories for all Data Center products. These changes not only increase the difficulty for an attacker to exploit filesystem access but also allow customers to verify the state of the product installation.
Starting from Jira 10.0, all Velocity files stored on the filesystem (for example, shared, local home, or any other) will need to be explicitly allowlisted and must be of a specific file type. Files stored inside .jar files and bundled within plugins won't be affected.
- Owner
comment_12463We're making steps towards verifiably secure installation directories for all Data Center products. These changes not only increase the difficulty for an attacker to exploit filesystem access but also allow customers to verify the state of the product installation.
Starting from Jira 10.0, all Velocity files stored on the filesystem (for example, shared, local home, or any other) will need to be explicitly allowlisted and must be of a specific file type. Files stored inside
.jarfiles and bundled within plugins won't be affected.In addition, all method invocations within a Velocity template must be explicitly allowlisted. For more information, visit Configuring the Velocity method allowlist and Configuring the Velocity file and file type allowlist.
View full product update
Link to comment
https://beta.jimiwikman.se/forums/topic/12122-velocity-template-and-allowlist-security-improvements/Share on other sites