Jira Server and Data Center products suffer from a template injection vulnerability. Many versions are affected.
0670cac056ef0706c3b99c0a9a1c4c8f0c94e902d675559fb791d7a7720b2d35
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This email refers to the advisory found at
https://confluence.atlassian.com/x/AzoGOg .
CVE ID:
* CVE-2019-11581.
Product: Jira Server and Data Center.
Affected Jira Server and Data Center product versions:
4.0.0 <= version < 7.6.14
7.13.0 <= version < 7.13.5
8.0.0 <= version < 8.0.3
8.1.0 <= version < 8.1.2
8.2.0 <= version < 8.2.3
Fixed Jira Server and Data Center product versions:
* Jira Server and Data Center 7.6.14 has been released with a fix for this
issue.
* for 7.13.x, Jira Server and Data Center 7.13.5 has been released with a fix
for this issue.
* for 8.0.x, Jira Server and Data Center 8.0.3 has been released with a fix for
this issue.
* for 8.1.x, Jira Server and Data Center 8.1.2 has been released with a fix for
this issue.
* for 8.2.x, Jira Server and Data Center 8.2.3 has been released with a fix for
this issue.
* Jira Server and Data Center 8.3.0 has been released with a fix for this
issue.
Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Server and Data Center are affected by this vulnerability.
Customers who have upgraded Jira Server and Data Center to version 7.6.14 or
7.13.5 or 8.0.3 or 8.1.2 or 8.2.3 or 8.3.0 are not affected.
Customers who have downloaded and installed Jira Server and Data Center >= 4.0.0
but less than 7.6.14 or who have downloaded and installed Jira Server and Data
Center >= 7.13.0 but less than 7.13.5 (the fixed version for 7.13.x) or who have
downloaded and installed Jira Server and Data Center >= 8.0.0 but less than
8.0.3 (the fixed version for 8.0.x) or who have downloaded and installed Jira
Server and Data Center >= 8.1.0 but less than 8.1.2 (the fixed version for
8.1.x) or who have downloaded and installed Jira Server and Data Center >= 8.2.0
but less than 8.2.3 (the fixed version for 8.2.x) or who have downloaded and
installed Jira Server and Data Center less than 8.3.0 please upgrade your Jira
Server and Data Center installations immediately to fix this vulnerability.
Template injection in various resources - CVE-2019-11581
Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.
Description:
There was a server-side template injection vulnerability in Jira Server and Data
Center, in the ContactAdministrators and the SendBulkMail actions. For this
issue to be exploitable at least one of the following conditions must be met:
- - an SMTP server has been configured in Jira and the Contact
Administrators Form
is enabled; or
- - an SMTP server has been configured in Jira and an attacker has `JIRA
Administrators` access.
In the first case, where the Contact Administrators Form is enabled, attackers
are able to exploit this issue without authentication. In the second case,
attackers with `JIRA Administrators` access can exploit this issue. In either
case, successful exploitation of this issue allows an attacker to remotely
execute code on systems that run a vulnerable version of Jira Server or Data
Center.
Versions of Jira Server and Data Center starting with version 7.0.0 before
7.6.14 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.5 (the
fixed version for 7.13.x), from version 8.0.0 before 8.0.3 (the fixed version
for 8.0.x), from version 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and
from version 8.2.0 before 8.2.3 (the fixed version for 8.2.x) are affected by
this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/JRASERVER-69532 .
Fix:
To address this issue, we've released the following versions containing a fix:
* Jira Server and Data Center version 7.6.14
* Jira Server and Data Center version 7.13.5
* Jira Server and Data Center version 8.0.3
* Jira Server and Data Center version 8.1.2
* Jira Server and Data Center version 8.2.3
* Jira Server and Data Center version 8.3.0
Remediation:
Upgrade Jira Server and Data Center to version 8.3.0 or higher.
The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.
If you are running Jira Server and Data Center 7.6.x and cannot upgrade to
8.3.0, upgrade to version 7.6.14.
If you are running Jira Server and Data Center 7.13.x and cannot upgrade to
8.3.0, upgrade to version 7.13.5.
If you are running Jira Server and Data Center 8.0.x and cannot upgrade to
8.3.0, upgrade to version 8.0.3.
If you are running Jira Server and Data Center 8.1.x and cannot upgrade to
8.3.0, upgrade to version 8.1.2.
If you are running Jira Server and Data Center 8.2.x and cannot upgrade to
8.3.0, upgrade to version 8.2.3.
For a full description of the latest version of Jira Server and Data Center,
see
the release notes found at
https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html.
You can download the latest version of Jira Server and Data Center from the
download centre found at https://www.atlassian.com/software/jira/download.
Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl01CQgXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCvRw/9H+M/5vPW92U/lA7Ju0T7SuCQ
WvxAQQSeXwWlMVkLxTBBfbExGWQy/kF8Czkim3pEog35bMHCS7TUxc1lR+U0CzNS
shQ9Iow1u63P8jtSFkecnqk5UDbt/CSOE80a9iXDukvLZYmoDF04CnGGJG/J+eQE
Z5Re/+jP5Id18PHLuT6nJ0fxuse/CF45gYYeqF7D75BrkpGntpM6+I6RQ97Tz6V0
dsawDIL0MEmQjAenk01CwDj8QRfsf+7XUgi3GArYdmEIYQreFPjSMYnzSKQzHYqs
TFHqI5UX0AHYk90S915fIPubMlyKb2FMpJ7Hx7RUvQOMaQUOWyysDoj9M7LSKOGq
uoJnxAKK64or4jfT9B1LiZoqDlJ2bAVc8oWkZY2LSWzm1Tazcc+bfJ4+fwCh8d39
w/8unsaS8Rhi085WoEJewNCUD5lK7c1VtKZVW7oBDupkuoiSWT9hAu+odOp1yoDp
cUVUOmhqWz+vW5IjyCXp9yZxVfIKU2w50lzADEC+413XS1XGZfjygzg7W0my3kpH
caTF0Rsh7rXLu6+eF/42ot0IinPsDJfGsorE4Wd6b64eG2fdyRSq1Fo6grh3TXgw
HDo0gbg4bGNBhWy8XZWx0oPi03WO82qsS30DgMtLiJ1WxrpaaARRK0/Nr7UYN6m1
aAyplJ/vjHf0b/xnoXo=
=+gCC
-----END PGP SIGNATURE-----