Atlassian has patched a critical vulnerability affecting Jira Server and Data Center versions released since the summer of 2011. The vulnerability was discovered and reported by Bugcrowd researcher Daniil Dmitriev. It could be exploited when Jira has been configured with an SMTP server and the Contact Administrators Form is enabled. An attacker would not need to authenticate in order to take advantage of the flaw. A workaround can be applied for the short term: Block access to the reverse-proxy, load balancer, or directly from Tomcat.
Source: https://www.bleepingcomputer.com/news/security/jira-server-and-data-center-update-patches-critical-vulnerability/