Atlassian JIRA Server Template Injection Vulnerability (CVE-2019-11581)
High Nessus Plugin ID 128762
SynopsisThe remote web server hosts a web application that is affected by a template injection vulnerability.
DescriptionAccording to its self-reported version number, the version of Atlassian JIRA hosted on the remote web server is 4.4.x < 7.6.14, 7.7.x < 7.13.5, 8.0.x < 8.0.3, 8.1.x < 8.1.2, 8.2.x < 8.2.3. It is, therefore, affected by a server-side template injection vulnerability that exists in the ContactAdministrators and SendBulkMail actions where SMTP server is configured and the Contact Administrators Form is enabled. An unauthenticated, remote attacker may exploit this to bypass authentication and execute arbitrary code.
SolutionUpgrade to Atlassian JIRA version 7.6.14, 7.13.5, 8.0.3, 8.1.2, 8.2.3 or later.