Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69933

Template injection in Jira importers plugin - CVE-2019-15001

XMLWordPrintable

      Issue Summary

      There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

      Affected version:

      • Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.

      Fix

      We have released the following versions of Jira Server & Jira Data Center to address this issue:

      We have released the following versions of Jira Software Server to address this issue:

      For additional details, see the full advisory.

            [JRASERVER-69933] Template injection in Jira importers plugin - CVE-2019-15001

            John Smith added a comment - - edited

            Is a fix planned for Jira Server 8.0.3? -> 8.0.4

            John Smith added a comment - - edited Is a fix planned for Jira Server 8.0.3? -> 8.0.4

            David Black added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.1 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required High
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.1 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

              Unassigned Unassigned
              aminozhenko alexmin (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: