Cyber Resilience

CVE-2019-11581

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 09 August 2019

Published
09 August 2019
Modified
24 October 2025
KEV Added
07 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9435 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-11581 is a critical-severity Injection (CWE-74) vulnerability in Atlassian Jira Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-11581 is a server-side template injection vulnerability present in the ContactAdministrators and SendBulkMail actions of Atlassian Jira Server and Data Center. It affects all versions from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3, and is tracked under CWE-74 with a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can supply crafted input to these actions and achieve arbitrary code execution on the underlying server with no user interaction required.

The issue is documented in the Atlassian advisory JRASERVER-69532, which identifies the fixed releases, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the importance of applying the available patches.

EU & UK References

Vulnerability details

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data…

more

Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
jira server
4.4 — 7.6.14 · 7.7.0 — 7.13.5 · 8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the ContactAdministrators and SendBulkMail actions, blocking the crafted template expressions that produce arbitrary code execution.

prevent

Mandates prompt application of the vendor patches listed in JRASERVER-69532, eliminating the server-side template injection flaw before exploitation.

detect

Requires continuous vulnerability scanning that would identify the unpatched Jira versions listed in the CVE and trigger remediation.

References