⚠ Actively exploited
Added to CISA KEV on 2022-03-07. Federal agencies required to patch by 2022-09-07. Required action: Apply updates per vendor instructions..
CVE-2019-11581 — Injection in Atlassian Jira Server AND Data Center
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.04%
CISA KEV
KEV
Added 2022-03-07
Due 2022-09-07
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedAug 9
KEV addedMar 7
Latest updateMay 24
KEV dueSep 7
CISA Required Action: Apply updates per vendor instructions.
Description
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
🔴Vulnerability Details
3GHSA▶
GHSA-55hv-x43w-phcv: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions↗2022-05-24
CVEList▶
CVE-2019-11581: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions↗2019-08-09
💥Exploits & PoCs
1Nuclei▶
Atlassian Jira Server-Side Template Injection