Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69532

CVE-2019-11581 - Template injection in various resources

XMLWordPrintable

      There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:

      • an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
      • an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.

      In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

      Affected versions:

      • All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

      Fix:
      We have released the following versions of Jira Server & Jira Data Center to address this issue:

       

      For additional details, see the full advisory.

          Form Name

            [JRASERVER-69532] CVE-2019-11581 - Template injection in various resources

            Bingwei Li added a comment -

            I failed to renewal today again.  Please kindly help me to check it.

            Bingwei Li added a comment - I failed to renewal today again.  Please kindly help me to check it.

            SANTIAGO GARCIA-MARTINEZ added a comment -

            Hello, I would need to know how can I remove an administrator on a project and add new ones. The actual administrator on the project has left my organisation.

            Thank you.

            Santiago

            SANTIAGO GARCIA-MARTINEZ added a comment - Hello, I would need to know how can I remove an administrator on a project and add new ones. The actual administrator on the project has left my organisation. Thank you. Santiago

            Incle YC added a comment - - edited

             

             

             

            There is no move from project to project. Could not find an issue to connect to.I can't find it, but it's actually a project.What should I do?

             

             

            Incle YC added a comment - - edited       There is no move from project to project. Could not find an issue to connect to.I can't find it, but it's actually a project.What should I do?    

            Stefano Capuzzimato (Inactive) added a comment -

            Hi Adam,

            Thank you for reaching out to us! Would you be able to go on to our support site and file a case with us? If you're currently experiencing problems or have any questions or concerns for us, we'll make sure you get the assistance required for your specific case. Hope that helps

            Stefano Capuzzimato (Inactive) added a comment - Hi Adam, Thank you for reaching out to us! Would you be able to go on to our support site and file a case with us? If you're currently experiencing problems or have any questions or concerns for us, we'll make sure you get the assistance required for your specific case. Hope that helps

            Adam Zacks added a comment -

            I have installed 8.0.3 into our dev environment and we are now seeing several issues.

            1. Unable to view workflow.
            2. Unable to view workflow is diagram format
            3. Prompts to upgrade service desk to 4.0.3
            4. Tomcat http/https config inconsistencies (we use iis which I have already amended)
            5. Avatar's not present on screen but present when viewing profile.

            Everyone is looking to me but I am just a DBA, please help is possible.

            Adam.

            Adam Zacks added a comment - I have installed 8.0.3 into our dev environment and we are now seeing several issues. Unable to view workflow. Unable to view workflow is diagram format Prompts to upgrade service desk to 4.0.3 Tomcat http/https config inconsistencies (we use iis which I have already amended) Avatar's not present on screen but present when viewing profile. Everyone is looking to me but I am just a DBA, please help is possible. Adam.

            AB added a comment -

            Hello kamalkailasa.babu! It's not the incoming mail that needs to be disabled, but actually some other settings which are described in the full advisory.

            You can see information about that in the advisory here: Mitigation instructions.

            AB added a comment - Hello kamalkailasa.babu ! It's not the incoming mail that needs to be disabled, but actually some other settings which are described in the full advisory. You can see information about that in the advisory here: Mitigation instructions .

            Stefano Capuzzimato (Inactive) added a comment -

            Hi Kamal, do you have an open ticket with us? We'll be able to provide support specific to your case on your ticket if you do.

            Hope that helps!

            Stefano Capuzzimato (Inactive) added a comment - Hi Kamal, do you have an open ticket with us? We'll be able to provide support specific to your case on your ticket if you do. Hope that helps!

            Kamal Kailasa Babu added a comment -

            How is the possibility for an attacker to get a Jira admin access?

            Are we safe if our incoming mail is not enabled?

             

            Kamal Kailasa Babu added a comment - How is the possibility for an attacker to get a Jira admin access? Are we safe if our incoming mail is not enabled?  

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 8.4 => High severity; ref: https://www.atlassian.com/trust/security/bug-fix-policy

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required High
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 8.4 => High severity; ref: https://www.atlassian.com/trust/security/bug-fix-policy Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

              security-metrics-bot Security Metrics Bot
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              38 Start watching this issue

                Created:
                Updated:
                Resolved: