CVE Vulnerabilities

CVE-2019-11581

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Aug 09, 2019 | Modified: Mar 25, 2022
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
9.3 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
Ubuntu

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Jira Atlassian 4.4 (including) 7.6.14 (excluding)
Jira_server Atlassian 7.7.0 (including) 7.13.5 (excluding)
Jira_server Atlassian 8.0.0 (including) 8.0.3 (excluding)
Jira_server Atlassian 8.1.0 (including) 8.1.2 (excluding)
Jira_server Atlassian 8.2.0 (including) 8.2.3 (excluding)

Potential Mitigations

References