CVE-2019-11581: Jira Server Template Injection Vulnerability Alert

Recently, JIRA released a security bulletin to fix a server-side template injection vulnerability (CVE-2019-11581), affecting Jira Server and Jira Data Center. An attacker who successfully exploited the vulnerability could remotely execute code on the affected server. Users using Jira Cloud are not affected.

Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management. The product name is a truncation of Gojira, the Japanese word for Godzilla, which is a reference to a competitor, Bugzilla.

Vulnerability summary

The vulnerability stems from the ContactAdministrator and SendBulkMail operations in Jira Server and Data Center. Successful exploitation of this vulnerability requires at least one of the following:

  1. The SMTP server is configured in JIRA and the Contact Administrators Form option is enabled.
  2. The SMTP server is configured in JIRA, and the attacker has access to “JIRA Administrators”.

Affected version

The following versions of Jira Server and Jira Data Center are affected:

  • 4.4.x
  • 5.xx
  • 6.xx
  • 7.0.x
  • 7.1.x
  • 7.2.x
  • 7.3.x
  • 7.4.x
  • 7.5.x
  • 7.6.14 (7.6.x repaired version) before 7.6.x
  • 7.7.x
  • 7.8.x
  • 7.9.x
  • 7.10.x
  • 7.11.x
  • 7.12.x
  • 7.13.x before 7.13.5 (repaired version of 7.13.x)
  • 8.0.3 (8.0.x repaired version) before 8.0.x
  • 8.1.2 (8.1.x repaired version) before 8.1.x
  • 8.2.3 (8.2.x repaired version) before 8.2.x

Unaffected version

The following versions of Jira Server and Jira Data Center are not affected:

  • 7.6.14
  • 7.13.5
  • 8.0.3
  • 8.1.2
  • 8.2.3

Solution:

The Jira official has released a new version to fix the above vulnerability, and affected users should upgrade Jira Server and Jira Data Center as soon as possible.