exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Jira Server / Data Center Template Injection

Jira Server / Data Center Template Injection
Posted Sep 25, 2019
Authored by Atlassian

Jira Server and Data Center suffer from a template injection vulnerability. Versions affected include 7.0.10 up to 7.6.16, 7.7.0 up to 7.13.8, 8.0.0 up to 8.1.3, 8.2.0 up to 8.2.5, 8.3.0 up to 8.3.4, and 8.4.0 up to 8.4.1.

tags | advisory
advisories | CVE-2019-15001
SHA-256 | 9506b8cb8908b8c285b6269247edf4b6b2be0b43fcb2a0b7d2fa9067b0e39019

Jira Server / Data Center Template Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/KkU4Og .


CVE ID:

* CVE-2019-15001.


Product: Jira Server and Data Center.

Affected Jira Server and Data Center product versions:

7.0.10 <= version < 7.6.16
7.7.0 <= version < 7.13.8
8.0.0 <= version < 8.1.3
8.2.0 <= version < 8.2.5
8.3.0 <= version < 8.3.4
8.4.0 <= version < 8.4.1


Fixed Jira Server and Data Center product versions:

* for 7.6.x, Jira Server and Data Center 7.6.16 has been released with a fix for
this issue.
* for 7.13.x, Jira Server and Data Center 7.13.8 has been released with a fix
for this issue.
* for 8.1.x, Jira Server and Data Center 8.1.3 has been released with a fix for
this issue.
* for 8.2.x, Jira Server and Data Center 8.2.5 has been released with a fix for
this issue.
* for 8.3.x, Jira Server and Data Center 8.3.4 has been released with a fix for
this issue.
* for 8.4.x, Jira Server and Data Center 8.4.1 has been released with a fix for
this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Server and Data Center starting with version 7.0.10 before 7.6.16 (the
fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the fixed version
for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from
version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from version 8.3.0
before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0 before 8.4.1 (the
fixed version for 8.4.x) are affected by this vulnerability.



Customers who have upgraded Jira Server and Data Center to version 7.6.16 or
7.13.8 or 8.1.3 or 8.2.5 or 8.3.4 or 8.4.1 are not affected.

Customers who have downloaded and installed Jira Server and Data Center >=
7.0.10 but less than 7.6.16 (the fixed version for 7.6.x) or who have downloaded
and installed Jira Server and Data Center >= 7.7.0 but less than 7.13.8 (the
fixed version for 7.13.x) or who have downloaded and installed Jira Server and
Data Center >= 8.0.0 but less than 8.1.3 (the fixed version for 8.1.x) or who
have downloaded and installed Jira Server and Data Center >= 8.2.0 but less than
8.2.5 (the fixed version for 8.2.x) or who have downloaded and installed Jira
Server and Data Center >= 8.3.0 but less than 8.3.4 (the fixed version for
8.3.x) or who have downloaded and installed Jira Server and Data Center >= 8.4.0
but less than 8.4.1 (the fixed version for 8.4.x) please upgrade your Jira
Server and Data Center installations immediately to fix this vulnerability.



Template injection in Template injection in Jira Importers Plugin -
CVE-2019-15001

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

There was a server-side template injection vulnerability in Jira Server and Data
Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA
Administrators" access can exploit this issue. Successful exploitation of
this issue allows an attacker to remotely execute code on systems that run a
vulnerable version of Jira Server or Data Center.
Versions of Jira Server and Data Center starting with version 7.0.10 before
7.6.16 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the
fixed version for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for
8.1.x), from version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from
version 8.3.0 before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0
before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/JRASERVER-69933
.



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Server and Data Center version 7.6.16
* Jira Server and Data Center version 7.13.8
* Jira Server and Data Center version 8.1.3
* Jira Server and Data Center version 8.2.5
* Jira Server and Data Center version 8.3.4
* Jira Server and Data Center version 8.4.1

Remediation:

Upgrade Jira Server and Data Center to version 8.4.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Server and Data Center 7.6.x and cannot upgrade to
8.4.1, upgrade to version 7.6.16.
If you are running Jira Server and Data Center 7.13.x and cannot upgrade to
8.4.1, upgrade to version 7.13.8.
If you are running Jira Server and Data Center 8.1.x and cannot upgrade to
8.4.1, upgrade to version 8.1.3.
If you are running Jira Server and Data Center 8.2.x and cannot upgrade to
8.4.1, upgrade to version 8.2.5.
If you are running Jira Server and Data Center 8.3.x and cannot upgrade to
8.4.1, upgrade to version 8.3.4.


For a full description of the latest version of Jira Server and Data Center,
see
the release notes found at
https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html.
You can download the latest version of Jira Server and Data Center from the
download centre found at https://www.atlassian.com/software/jira/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2JqZkXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqBwaxAAlV5KISHAJCJ3XtMQ038e8DQF
3bLkryFpCqDLH0DRcrqkjxzga/EGpSwVb4spmmwLLANutTabPiNMU27q7kVtqEAr
aRWaxjOpcSIKkFNL7YK+n3Uu3lDhd9LKJkqgqlqKl7/Gc74zpHIxBDyHZbV03s4s
V33NIp29FrEmJZDvwo6aNxZz2hLHNDg16U7X4iIc8f3PRQGHgeUjtoFbNJqEWHgL
samEELTkSP0gN4PNO6XwwhIiyBXt+X0tk1YIKk7ysBY9GIbg05Lu9mgcW1syBugy
dl0NMHPjwTr+vHj7EENg+hSrH0VTtjs9ue5CJtfsoGW6HaryOX717oY2e2ltaTYE
iH3SbA3b4uFCYudC0hDuwK9lsvY9XrUulQUuWQnA8zixTVUqr4z1qz7ZOK9WIn7Z
G1pU3EX0D7Bx6O66bDFSu2PBGuS3sJpnJA2X3H4TKJrymeUXh8ZVSSodKy8slzO+
Crefp2SVnJHEKHHc9/iMmWKSbl/UhHJjfPFKwAh2CuWb5T53lucfhHG8eR5SJp/H
FhGGsZpby1n0xmlmtiCLyfaUX4U7N8xzax6SsC/JSMhGwI0jEuEF9NNTzUi4U7Aq
ipGICa+gbHZzDU44jT/8cxLwHEjbkj4EQOeThBuQEgpDIpWd0mDpOCdQzcvFJNSr
+ADvNDoyq8NnmV+XmAA=
=/cDw
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close