CVE-2019-11581: Jira Server Template Injection Vulnerability Alert
Recently, JIRA released a security bulletin to fix a server-side template injection vulnerability (CVE-2019-11581), affecting Jira Server and Jira Data Center. An attacker who successfully exploited the vulnerability could remotely execute code on the affected server. Users using Jira Cloud are not affected.
Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management. The product name is a truncation of Gojira, the Japanese word for Godzilla, which is a reference to a competitor, Bugzilla.
Vulnerability summary
The vulnerability stems from the ContactAdministrator and SendBulkMail operations in Jira Server and Data Center. Successful exploitation of this vulnerability requires at least one of the following:
- The SMTP server is configured in JIRA and the Contact Administrators Form option is enabled.
- The SMTP server is configured in JIRA, and the attacker has access to “JIRA Administrators”.
Affected version
The following versions of Jira Server and Jira Data Center are affected:
- 4.4.x
- 5.xx
- 6.xx
- 7.0.x
- 7.1.x
- 7.2.x
- 7.3.x
- 7.4.x
- 7.5.x
- 7.6.14 (7.6.x repaired version) before 7.6.x
- 7.7.x
- 7.8.x
- 7.9.x
- 7.10.x
- 7.11.x
- 7.12.x
- 7.13.x before 7.13.5 (repaired version of 7.13.x)
- 8.0.3 (8.0.x repaired version) before 8.0.x
- 8.1.2 (8.1.x repaired version) before 8.1.x
- 8.2.3 (8.2.x repaired version) before 8.2.x
Unaffected version
The following versions of Jira Server and Jira Data Center are not affected:
- 7.6.14
- 7.13.5
- 8.0.3
- 8.1.2
- 8.2.3
Solution:
The Jira official has released a new version to fix the above vulnerability, and affected users should upgrade Jira Server and Jira Data Center as soon as possible.
- 8.2.3 which is available for download from https://www.atlassian.com/software/jira/download
- 8.1.2 which is available for download from https://www.atlassian.com/software/jira/update.
- 8.0.3 which is available for download from https://www.atlassian.com/software/jira/update.
- 7.13.5 which is available for download from https://www.atlassian.com/software/jira/update.
- 7.6.14 which is available for download from https://www.atlassian.com/software/jira/update.