CVE-2019-11581
published 2019-08-09CVE-2019-11581: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-07
Exploited in the wild
EPSS
84.62%
99.7th percentile
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira_server | >= 4.4 < 7.6.14 | 7.6.14 |
| atlassian | jira_server | >= 7.7.0 < 7.13.5 | 7.13.5 |
| atlassian | jira_server | >= 8.0.0 < 8.0.3 | 8.0.3 |
| atlassian | jira_server | >= 8.1.0 < 8.1.2 | 8.1.2 |
| atlassian | jira_server | >= 8.2.0 < 8.2.3 | 8.2.3 |
| atlassian | jira_server_and_data_center | >= 4.4.0 < unspecified | unspecified |
| atlassian | jira_server_and_data_center | >= 7.7.0 < unspecified | unspecified |
| atlassian | jira_server_and_data_center | >= 8.0.0 < unspecified | unspecified |
| atlassian | jira_server_and_data_center | >= 8.1.0 < unspecified | unspecified |
| atlassian | jira_server_and_data_center | >= 8.2.0 < unspecified | unspecified |
| atlassian | jira_server_and_data_center | >= unspecified < 7.6.14 | 7.6.14 |
| atlassian | jira_server_and_data_center | >= unspecified < 7.13.5 | 7.13.5 |
| atlassian | jira_server_and_data_center | >= unspecified < 8.0.3 | 8.0.3 |
| atlassian | jira_server_and_data_center | >= unspecified < 8.1.2 | 8.1.2 |
| atlassian | jira_server_and_data_center | >= unspecified < 8.2.3 | 8.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/secure/ContactAdministrators!default.jspa
path/secure/ContactAdministrators
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17;)
bytes
subject= ... |2e|forName ... java.lang.Runtime ... |2e|getMethod ... getRuntime ... |2e|exec ... |2e|waitFor
yara
id: CVE-2019-11581 (Nuclei template — matchers: body contains 'Contact Site Administrators', NOT 'has not yet configured this contact form', version regex matches vulnerable versions)
- →The vulnerability is exploitable via HTTP POST to /secure/ContactAdministrators*.jspa with a crafted 'subject' field containing SSTI payloads invoking java.lang.Runtime for RCE. Look for the specific byte sequence in the request body.
- →Detect vulnerable Jira instances by GETting /secure/ContactAdministrators!default.jspa and checking the response body for 'Contact Site Administrators' (enabled form) while NOT containing 'has not yet configured this contact form', combined with a version string regex matching affected releases.
- →Shodan queries can surface exposed Jira instances: search for http.component:"Atlassian Jira" or cpe:"cpe:2.3:a:atlassian:jira".
- →Check Point IPS Blade signature name for network-level detection of exploitation attempts. ↗
- ·Jira Cloud customers are NOT affected; this vulnerability only impacts self-hosted Jira Server and Data Center deployments. ↗
- ·Jira Service Desk versions 3.0.0 before 4.2.3 may also be affected; a compatibility matrix is provided by Atlassian to determine exposure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-55hv-x43w-phcv: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions
ghsa_unreviewed·2022-05-24
CVE-2019-11581 [CRITICAL] CWE-74 GHSA-55hv-x43w-phcv: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
VulnCheck
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-11581 [CRITICAL] CWE-74 Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution.
Affected: Atlassian Jira Server and Data Center
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf; https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/; https://cujo.com/the-sysrv-botnet-and-how-it-evolved/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?d
CISA
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
cisa·2022-03-07·CVSS 9.8
CVE-2019-11581 [CRITICAL] CWE-74 Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
Vulnerability: Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
Affected: Atlassian Jira Server and Data Center
Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-11581
Remediation Due Date: 2022-09-07
Suricata
ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)
suricata·2019-07-15·CVSS 9.8
CVE-2019-11581 [CRITICAL] ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)
ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-1
Nuclei
Atlassian Jira Server-Side Template Injection
nuclei·CVSS 9.8
CVE-2019-11581 [CRITICAL] Atlassian Jira Server-Side Template Injection
Atlassian Jira Server-Side Template Injection
Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Template:
id: CVE-2019-11581
info:
name: Atlassian Jira Server-Side Template Injection
author: ree4pwn
severity: critical
description: Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-14994: URL Path Traversal Vulnerability in Jira Service Desk Leads to Information Disclosure
blogs_tenable·2019-09-19·CVSS 7.5
[HIGH] CVE-2019-14994: URL Path Traversal Vulnerability in Jira Service Desk Leads to Information Disclosure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2019-0708: BlueKeep Exploits Could Be Around the Corner
blogs_tenable·2019-08-01·CVSS 9.8
[CRITICAL] CVE-2019-0708: BlueKeep Exploits Could Be Around the Corner
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)
blogs_tenable·2019-07-25·CVSS 9.8
[CRITICAL] WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
22nd July – Threat Intelligence Bulletin
blogs_checkpoint·2019-07-22
CVE-2019-11580 22nd July – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd July – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 22nd July 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
The Bulgarian government has suffered a major data breach exposing personal and financial information of 5 million citizens after threat actors managed to hack the country’s tax reporting service. The threat
actors, who claim to be Russians, sent some of the 21 GB of stolen information to the Bulgarian media.
SyTech, a co
Tenable
CVE-2019-11581: Critical Template Injection Vulnerability in Atlassian Jira Server and Data Center
blogs_tenable·2019-07-11·CVSS 9.8
[CRITICAL] CVE-2019-11581: Critical Template Injection Vulnerability in Atlassian Jira Server and Data Center
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
## Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from d
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
2019-08-09
Published
2022-03-07
Added to CISA KEV
Exploited in the wild