Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11581

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Published

2019-08-09T20:15:11.270

Last Modified

2025-04-02T20:19:03.713

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

10.0

Weaknesses

Type: Primary
CWE-74
Type: Secondary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	atlassian	jira_server	< 7.6.14	Yes
Application	atlassian	jira_server	< 7.13.5	Yes
Application	atlassian	jira_server	< 8.0.3	Yes
Application	atlassian	jira_server	< 8.1.2	Yes
Application	atlassian	jira_server	< 8.2.3	Yes

References

https://jira.atlassian.com/browse/JRASERVER-69532 Issue Tracking, Vendor Advisory ([email protected])
https://jira.atlassian.com/browse/JRASERVER-69532 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)