-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/x/AzoGOg . CVE ID: * CVE-2019-11581. Product: Jira Server and Data Center. Affected Jira Server and Data Center product versions: 4.0.0 <= version < 7.6.14 7.13.0 <= version < 7.13.5 8.0.0 <= version < 8.0.3 8.1.0 <= version < 8.1.2 8.2.0 <= version < 8.2.3 Fixed Jira Server and Data Center product versions: * Jira Server and Data Center 7.6.14 has been released with a fix for this issue. * for 7.13.x, Jira Server and Data Center 7.13.5 has been released with a fix for this issue. * for 8.0.x, Jira Server and Data Center 8.0.3 has been released with a fix for this issue. * for 8.1.x, Jira Server and Data Center 8.1.2 has been released with a fix for this issue. * for 8.2.x, Jira Server and Data Center 8.2.3 has been released with a fix for this issue. * Jira Server and Data Center 8.3.0 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Jira Server and Data Center are affected by this vulnerability. Customers who have upgraded Jira Server and Data Center to version 7.6.14 or 7.13.5 or 8.0.3 or 8.1.2 or 8.2.3 or 8.3.0 are not affected. Customers who have downloaded and installed Jira Server and Data Center >= 4.0.0 but less than 7.6.14 or who have downloaded and installed Jira Server and Data Center >= 7.13.0 but less than 7.13.5 (the fixed version for 7.13.x) or who have downloaded and installed Jira Server and Data Center >= 8.0.0 but less than 8.0.3 (the fixed version for 8.0.x) or who have downloaded and installed Jira Server and Data Center >= 8.1.0 but less than 8.1.2 (the fixed version for 8.1.x) or who have downloaded and installed Jira Server and Data Center >= 8.2.0 but less than 8.2.3 (the fixed version for 8.2.x) or who have downloaded and installed Jira Server and Data Center less than 8.3.0 please upgrade your Jira Server and Data Center installations immediately to fix this vulnerability. Template injection in various resources - CVE-2019-11581 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met: - - an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or - - an SMTP server has been configured in Jira and an attacker has `JIRA Administrators` access. In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with `JIRA Administrators` access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. Versions of Jira Server and Data Center starting with version 7.0.0 before 7.6.14 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from version 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from version 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from version 8.2.0 before 8.2.3 (the fixed version for 8.2.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/JRASERVER-69532 . Fix: To address this issue, we've released the following versions containing a fix: * Jira Server and Data Center version 7.6.14 * Jira Server and Data Center version 7.13.5 * Jira Server and Data Center version 8.0.3 * Jira Server and Data Center version 8.1.2 * Jira Server and Data Center version 8.2.3 * Jira Server and Data Center version 8.3.0 Remediation: Upgrade Jira Server and Data Center to version 8.3.0 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Jira Server and Data Center 7.6.x and cannot upgrade to 8.3.0, upgrade to version 7.6.14. If you are running Jira Server and Data Center 7.13.x and cannot upgrade to 8.3.0, upgrade to version 7.13.5. If you are running Jira Server and Data Center 8.0.x and cannot upgrade to 8.3.0, upgrade to version 8.0.3. If you are running Jira Server and Data Center 8.1.x and cannot upgrade to 8.3.0, upgrade to version 8.1.2. If you are running Jira Server and Data Center 8.2.x and cannot upgrade to 8.3.0, upgrade to version 8.2.3. For a full description of the latest version of Jira Server and Data Center, see the release notes found at https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html. You can download the latest version of Jira Server and Data Center from the download centre found at https://www.atlassian.com/software/jira/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl01CQgXHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCvRw/9H+M/5vPW92U/lA7Ju0T7SuCQ WvxAQQSeXwWlMVkLxTBBfbExGWQy/kF8Czkim3pEog35bMHCS7TUxc1lR+U0CzNS shQ9Iow1u63P8jtSFkecnqk5UDbt/CSOE80a9iXDukvLZYmoDF04CnGGJG/J+eQE Z5Re/+jP5Id18PHLuT6nJ0fxuse/CF45gYYeqF7D75BrkpGntpM6+I6RQ97Tz6V0 dsawDIL0MEmQjAenk01CwDj8QRfsf+7XUgi3GArYdmEIYQreFPjSMYnzSKQzHYqs TFHqI5UX0AHYk90S915fIPubMlyKb2FMpJ7Hx7RUvQOMaQUOWyysDoj9M7LSKOGq uoJnxAKK64or4jfT9B1LiZoqDlJ2bAVc8oWkZY2LSWzm1Tazcc+bfJ4+fwCh8d39 w/8unsaS8Rhi085WoEJewNCUD5lK7c1VtKZVW7oBDupkuoiSWT9hAu+odOp1yoDp cUVUOmhqWz+vW5IjyCXp9yZxVfIKU2w50lzADEC+413XS1XGZfjygzg7W0my3kpH caTF0Rsh7rXLu6+eF/42ot0IinPsDJfGsorE4Wd6b64eG2fdyRSq1Fo6grh3TXgw HDo0gbg4bGNBhWy8XZWx0oPi03WO82qsS30DgMtLiJ1WxrpaaARRK0/Nr7UYN6m1 aAyplJ/vjHf0b/xnoXo= =+gCC -----END PGP SIGNATURE-----