CVE-2019-11581

Summary

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
AtlassianJira Server and Data Center4.4.0 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 7.6.14affected
AtlassianJira Server and Data Center7.7.0 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 7.13.5affected
AtlassianJira Server and Data Center8.0.0 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 8.0.3affected
AtlassianJira Server and Data Center8.1.0 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 8.1.2affected
AtlassianJira Server and Data Center8.2.0 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 8.2.3affected

Weaknesses

  • Template injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References