cbcvebase.
CVE-2019-11581
published 2019-08-09

CVE-2019-11581: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-07
Exploited in the wild
EPSS
84.62%
99.7th percentile
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Affected

15 ranges
VendorProductVersion rangeFixed in
atlassianjira_server>= 4.4 < 7.6.147.6.14
atlassianjira_server>= 7.7.0 < 7.13.57.13.5
atlassianjira_server>= 8.0.0 < 8.0.38.0.3
atlassianjira_server>= 8.1.0 < 8.1.28.1.2
atlassianjira_server>= 8.2.0 < 8.2.38.2.3
atlassianjira_server_and_data_center>= 4.4.0 < unspecifiedunspecified
atlassianjira_server_and_data_center>= 7.7.0 < unspecifiedunspecified
atlassianjira_server_and_data_center>= 8.0.0 < unspecifiedunspecified
atlassianjira_server_and_data_center>= 8.1.0 < unspecifiedunspecified
atlassianjira_server_and_data_center>= 8.2.0 < unspecifiedunspecified
atlassianjira_server_and_data_center>= unspecified < 7.6.147.6.14
atlassianjira_server_and_data_center>= unspecified < 7.13.57.13.5
atlassianjira_server_and_data_center>= unspecified < 8.0.38.0.3
atlassianjira_server_and_data_center>= unspecified < 8.1.28.1.2
atlassianjira_server_and_data_center>= unspecified < 8.2.38.2.3

Detection & IOCsextracted from sources · hover to see the quote

url/secure/ContactAdministrators!default.jspa
path/secure/ContactAdministrators
path/secure/admin/SendBulkMail!default.jspa
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17;)
bytes
subject= ... |2e|forName ... java.lang.Runtime ... |2e|getMethod ... getRuntime ... |2e|exec ... |2e|waitFor
yara
id: CVE-2019-11581 (Nuclei template — matchers: body contains 'Contact Site Administrators', NOT 'has not yet configured this contact form', version regex matches vulnerable versions)
  • The vulnerability is exploitable via HTTP POST to /secure/ContactAdministrators*.jspa with a crafted 'subject' field containing SSTI payloads invoking java.lang.Runtime for RCE. Look for the specific byte sequence in the request body.
  • Detect vulnerable Jira instances by GETting /secure/ContactAdministrators!default.jspa and checking the response body for 'Contact Site Administrators' (enabled form) while NOT containing 'has not yet configured this contact form', combined with a version string regex matching affected releases.
  • Shodan queries can surface exposed Jira instances: search for http.component:"Atlassian Jira" or cpe:"cpe:2.3:a:atlassian:jira".
  • Check Point IPS Blade signature name for network-level detection of exploitation attempts.
  • ·Jira Cloud customers are NOT affected; this vulnerability only impacts self-hosted Jira Server and Data Center deployments.
  • ·Jira Service Desk versions 3.0.0 before 4.2.3 may also be affected; a compatibility matrix is provided by Atlassian to determine exposure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.