Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69933

Template injection in Jira importers plugin - CVE-2019-15001

XMLWordPrintable

      Issue Summary

      There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

      Affected version:

      • Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.

      Fix

      We have released the following versions of Jira Server & Jira Data Center to address this issue:

      We have released the following versions of Jira Software Server to address this issue:

      For additional details, see the full advisory.

            [JRASERVER-69933] Template injection in Jira importers plugin - CVE-2019-15001

            David Black made changes -
            Description Original: h3. Issue Summary

            There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

            Affected version:
            * Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.

            h3. Fix

            We have released the following versions of Jira Server & Jira Data Center to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            We have released the following versions of Jira Software Server to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            For additional details, see the [full advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2019-09-18-976766250.html].             		New: h3. Issue Summary

            There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

            Affected version:
            * Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.

            h3. Fix

            We have released the following versions of Jira Server & Jira Data Center to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            We have released the following versions of Jira Software Server to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            For additional details, see the [full advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2019-09-18-976766250.html].
            David Black made changes -
            Labels Original: CVE-2019-15001 advisory advisory-to-release bugbounty injection security template-injection New: CVE-2019-15001 advisory advisory-released bugbounty injection security template-injection
            set-jac-bot made changes -
            Fixed in Enterprise Release/s New: [Download 7.13, 7.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]
            Archana Menon made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 483875 ]
            Said made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 471323 ]
            Richard Atkins made changes -
            Labels Original: CVE-2019-15001 advisory advisory-to-release bugbounty security template-injection New: CVE-2019-15001 advisory advisory-to-release bugbounty injection security template-injection
            alexmin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 452900 ]
            Brian Adeloye (Inactive) made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            Julien Rey made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 450286 ]
            David Black made changes -
            Description Original: h3. Issue Summary

            There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

            Affected version:
            * Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.

            h3. Fix

            We have released the following versions of Jira Server & Jira Data Center to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            We have released the following versions of Jira Software Server

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            For additional details, see the [full advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2019-09-18-976766250.html].             		New: h3. Issue Summary

            There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

            Affected version:
            * Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.

            h3. Fix

            We have released the following versions of Jira Server & Jira Data Center to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            We have released the following versions of Jira Software Server to address this issue:

            * 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download
            * 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update
            * 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update
            * 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

            For additional details, see the [full advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2019-09-18-976766250.html].

              Unassigned Unassigned
              aminozhenko alexmin (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: