...
The vulnerability would allow an attacker that had Jira admin or Refined Admin permissions to perform a directory path traversal attack by uploading the attack file as a logo or imagevia filename.
If you have any questions regarding this, please reach out to us.
...
This issue has been fixed in version 3.5.7. If you are currently on a lower version, we recommend to upgrade to the latest release or at least 3.5.7. Please note that if you upgrade via UPM, you will get the latest version. To upgrade to the lower ones you need to download the JAR file from the Atlassian marketplace and manually upload it in the UPM.
Special thanks
Special thanks goes to Jahmel Harris from NATO Cyber Security Centre (NCSC) for discovering the vulnerability.