Go to listing page

Critical template injection vulnerability impacts Jira Server and Jira Data Center

Critical template injection vulnerability impacts Jira Server and Jira Data Center
  • The server-side template injection vulnerability tracked as CVE-2019-11581 allows an attacker to launch arbitrary code execution and completely take over the application data and functionality.
  • Atlassian has patched the critical vulnerability in versions 8.2.3, 8.1.2, 8.0.3, 7.13.5, and 7.6.14.

A Bugcrowd researcher Daniil Dmitriev uncovered a critical vulnerability in version 4.4.0 of Jira Server and Jira Data Center.

What is the vulnerability?

The server-side template injection vulnerability tracked as CVE-2019-11581 allows an attacker to launch arbitrary code execution and completely take over the application data and functionality. This vulnerability could allow an attacker to inject malicious input in the template enabling potential execution.

The critical vulnerability in the ContactAdministrators and the SendBulkMail actions could be exploited when the following conditions are met.

  • If the SMTP server is configured in Jira and the Contact Administrators Form is enabled; or
  • If the SMTP server is configured in Jira and an attacker has "JIRA Administrators" access.

If the Contact Administrators Form is enabled, the vulnerability could be exploited without the need for authentication.

“All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability,” the advisory read.

Patches for the vulnerability

Atlassian has patched the critical vulnerability in versions 8.2.3, 8.1.2, 8.0.3, 7.13.5, and 7.6.14. Atlassian has also provided temporary mitigations, which include:

  • Disabling the Contact Administrators Form,
  • Blocking the SendBulkMail endpoint (/secure/admin/SendBulkMail!default.jspa) from being accessed.
Cyware Publisher

Publisher

Cyware