-
Bug
-
Resolution: Fixed
-
Highest (View bug fix roadmap)
-
4.4, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.0.0, 7.8.0, 7.9.0, 7.10.0, 7.11.0, 7.12.0, 7.13.0, 7.13.1, 8.1.0, 8.2.0
-
4.04
-
Severity 1 - Critical
-
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:
- an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
- an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.
In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Affected versions:
- All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Fix:
We have released the following versions of Jira Server & Jira Data Center to address this issue:
- 8.2.3 which is available for download from https://www.atlassian.com/software/jira/download.
- 8.1.2 which is available for download from https://www.atlassian.com/software/jira/update.
- 8.0.3 which is available for download from https://www.atlassian.com/software/jira/update.
- 7.13.5 which is available for download from https://www.atlassian.com/software/jira/update.
- 7.6.14 which is available for download from https://www.atlassian.com/software/jira/update.
For additional details, see the full advisory.
[JRASERVER-69532] CVE-2019-11581 - Template injection in various resources
| Remote Link | New: This issue links to "Page (Confluence)" [ 867661 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 847662 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 845997 ] |
| Labels | Original: CVE-2019-11581 advisory advisory-released bugbounty cvss-high hot-jira-fixed injection rce security | New: CVE-2019-11581 advisory advisory-released bugbounty cvss-high injection rce security |
| Remote Link | Original: This issue links to "Page (Confluence)" [ 487942 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 487942 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 487018 ] |
| Fixed in Enterprise Release/s | New: [Download 7.13, 7.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 484551 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 477474 ] |