-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/KkU4Og . CVE ID: * CVE-2019-15001. Product: Jira Server and Data Center. Affected Jira Server and Data Center product versions: 7.0.10 <= version < 7.6.16 7.7.0 <= version < 7.13.8 8.0.0 <= version < 8.1.3 8.2.0 <= version < 8.2.5 8.3.0 <= version < 8.3.4 8.4.0 <= version < 8.4.1 Fixed Jira Server and Data Center product versions: * for 7.6.x, Jira Server and Data Center 7.6.16 has been released with a fix for this issue. * for 7.13.x, Jira Server and Data Center 7.13.8 has been released with a fix for this issue. * for 8.1.x, Jira Server and Data Center 8.1.3 has been released with a fix for this issue. * for 8.2.x, Jira Server and Data Center 8.2.5 has been released with a fix for this issue. * for 8.3.x, Jira Server and Data Center 8.3.4 has been released with a fix for this issue. * for 8.4.x, Jira Server and Data Center 8.4.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Jira Server and Data Center starting with version 7.0.10 before 7.6.16 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the fixed version for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from version 8.3.0 before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability. Customers who have upgraded Jira Server and Data Center to version 7.6.16 or 7.13.8 or 8.1.3 or 8.2.5 or 8.3.4 or 8.4.1 are not affected. Customers who have downloaded and installed Jira Server and Data Center >= 7.0.10 but less than 7.6.16 (the fixed version for 7.6.x) or who have downloaded and installed Jira Server and Data Center >= 7.7.0 but less than 7.13.8 (the fixed version for 7.13.x) or who have downloaded and installed Jira Server and Data Center >= 8.0.0 but less than 8.1.3 (the fixed version for 8.1.x) or who have downloaded and installed Jira Server and Data Center >= 8.2.0 but less than 8.2.5 (the fixed version for 8.2.x) or who have downloaded and installed Jira Server and Data Center >= 8.3.0 but less than 8.3.4 (the fixed version for 8.3.x) or who have downloaded and installed Jira Server and Data Center >= 8.4.0 but less than 8.4.1 (the fixed version for 8.4.x) please upgrade your Jira Server and Data Center installations immediately to fix this vulnerability. Template injection in Template injection in Jira Importers Plugin - CVE-2019-15001 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. Versions of Jira Server and Data Center starting with version 7.0.10 before 7.6.16 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the fixed version for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from version 8.3.0 before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/JRASERVER-69933 . Fix: To address this issue, we've released the following versions containing a fix: * Jira Server and Data Center version 7.6.16 * Jira Server and Data Center version 7.13.8 * Jira Server and Data Center version 8.1.3 * Jira Server and Data Center version 8.2.5 * Jira Server and Data Center version 8.3.4 * Jira Server and Data Center version 8.4.1 Remediation: Upgrade Jira Server and Data Center to version 8.4.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Jira Server and Data Center 7.6.x and cannot upgrade to 8.4.1, upgrade to version 7.6.16. If you are running Jira Server and Data Center 7.13.x and cannot upgrade to 8.4.1, upgrade to version 7.13.8. If you are running Jira Server and Data Center 8.1.x and cannot upgrade to 8.4.1, upgrade to version 8.1.3. If you are running Jira Server and Data Center 8.2.x and cannot upgrade to 8.4.1, upgrade to version 8.2.5. If you are running Jira Server and Data Center 8.3.x and cannot upgrade to 8.4.1, upgrade to version 8.3.4. For a full description of the latest version of Jira Server and Data Center, see the release notes found at https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html. You can download the latest version of Jira Server and Data Center from the download centre found at https://www.atlassian.com/software/jira/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2JqZkXHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqBwaxAAlV5KISHAJCJ3XtMQ038e8DQF 3bLkryFpCqDLH0DRcrqkjxzga/EGpSwVb4spmmwLLANutTabPiNMU27q7kVtqEAr aRWaxjOpcSIKkFNL7YK+n3Uu3lDhd9LKJkqgqlqKl7/Gc74zpHIxBDyHZbV03s4s V33NIp29FrEmJZDvwo6aNxZz2hLHNDg16U7X4iIc8f3PRQGHgeUjtoFbNJqEWHgL samEELTkSP0gN4PNO6XwwhIiyBXt+X0tk1YIKk7ysBY9GIbg05Lu9mgcW1syBugy dl0NMHPjwTr+vHj7EENg+hSrH0VTtjs9ue5CJtfsoGW6HaryOX717oY2e2ltaTYE iH3SbA3b4uFCYudC0hDuwK9lsvY9XrUulQUuWQnA8zixTVUqr4z1qz7ZOK9WIn7Z G1pU3EX0D7Bx6O66bDFSu2PBGuS3sJpnJA2X3H4TKJrymeUXh8ZVSSodKy8slzO+ Crefp2SVnJHEKHHc9/iMmWKSbl/UhHJjfPFKwAh2CuWb5T53lucfhHG8eR5SJp/H FhGGsZpby1n0xmlmtiCLyfaUX4U7N8xzax6SsC/JSMhGwI0jEuEF9NNTzUi4U7Aq ipGICa+gbHZzDU44jT/8cxLwHEjbkj4EQOeThBuQEgpDIpWd0mDpOCdQzcvFJNSr +ADvNDoyq8NnmV+XmAA= =/cDw -----END PGP SIGNATURE-----