vulnerability

JIRA Security Advisory 2019-07-10: Jira Server - Template injection in various resources

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:M/Au:N/C:C/I:C/A:C)	Jul 10, 2019	Jul 12, 2019	May 3, 2022

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

Jul 10, 2019

Added

Jul 12, 2019

Modified

May 3, 2022

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met (an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.)
In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

Solutions

atlassian-jira-upgrade-7_13_5atlassian-jira-upgrade-7_6_14atlassian-jira-upgrade-8_0_3atlassian-jira-upgrade-8_1_2atlassian-jira-upgrade-8_2_3

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today