CVE-2019-11581
Published: 09 August 2019
Summary
CVE-2019-11581 is a critical-severity Injection (CWE-74) vulnerability in Atlassian Jira Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-11581 is a server-side template injection vulnerability present in the ContactAdministrators and SendBulkMail actions of Atlassian Jira Server and Data Center. It affects all versions from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3, and is tracked under CWE-74 with a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply crafted input to these actions and achieve arbitrary code execution on the underlying server with no user interaction required.
The issue is documented in the Atlassian advisory JRASERVER-69532, which identifies the fixed releases, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the importance of applying the available patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-3251
Vulnerability details
There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data…
more
Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the ContactAdministrators and SendBulkMail actions, blocking the crafted template expressions that produce arbitrary code execution.
Mandates prompt application of the vendor patches listed in JRASERVER-69532, eliminating the server-side template injection flaw before exploitation.
Requires continuous vulnerability scanning that would identify the unpatched Jira versions listed in the CVE and trigger remediation.