cnvd - cnvd-2019-22482

cnvd-2019-22482

Vulnerability from cnvd

Title

Atlassian JIRA模板注入漏洞

Description

Atlassian JIRA是Atlassian公司出品的项目与事务跟踪工具。 Atlassian JIRA存在模板注入漏洞，攻击者可利用该漏洞在运行易受攻击版本的Jira Server或数据中心的系统上远程执行代码。

Severity

高

Patch Name

Atlassian JIRA模板注入漏洞的补丁

Patch Description

Atlassian JIRA是Atlassian公司出品的项目与事务跟踪工具。 Atlassian JIRA存在模板注入漏洞，攻击者可利用该漏洞在运行易受攻击版本的Jira Server或数据中心的系统上远程执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html

Reference

https://www.atlassian.com/software/jira https://www.seebug.org/vuldb/ssvid-98021

Impacted products

Name
['Atlassian JIRA Server 4.4.', 'Atlassian JIRA Server 5..', 'Atlassian JIRA Server 6..', 'Atlassian JIRA Server 7.0.', 'Atlassian JIRA Server 7.1.', 'Atlassian JIRA Server 7.2.', 'Atlassian JIRA Server 7.3.', 'Atlassian JIRA Server 7.4.', 'Atlassian JIRA Server 7.5.', 'Atlassian JIRA Server 7.7.', 'Atlassian JIRA Server 7.8.', 'Atlassian JIRA Server 7.9.', 'Atlassian JIRA Server 7.10.', 'Atlassian JIRA Server 7.11.', 'Atlassian JIRA Server 7.12.', 'Atlassian JIRA Server 7.6.，<7.6.14', 'Atlassian JIRA Server 7.13.，<7.13.5', 'Atlassian JIRA Server 8.0.，<8.0.3', 'Atlassian JIRA Server 8.1.，<8.1.2', 'Atlassian JIRA Server 8.2.，<8.2.3', 'Atlassian Jira Data Center 4.4.', 'Atlassian Jira Data Center 5..', 'Atlassian Jira Data Center 6..', 'Atlassian Jira Data Center 7.0.', 'Atlassian Jira Data Center 7.1.', 'Atlassian Jira Data Center 7.2.', 'Atlassian Jira Data Center 7.3.', 'Atlassian Jira Data Center 7.4.', 'Atlassian Jira Data Center 7.5.', 'Atlassian Jira Data Center 7.7.', 'Atlassian Jira Data Center 7.8.', 'Atlassian Jira Data Center 7.9.', 'Atlassian Jira Data Center 7.10.', 'Atlassian Jira Data Center 7.11.', 'Atlassian Jira Data Center 7.12.', 'Atlassian Jira Data Center 7.6.，<7.6.14', 'Atlassian Jira Data Center 7.13.，<7.13.5', 'Atlassian Jira Data Center 8.0.，<8.0.3', 'Atlassian Jira Data Center 8.1.，<8.1.2', 'Atlassian Jira Data Center 8.2.，<8.2.3']

Name

['Atlassian JIRA Server 4.4.*', 'Atlassian JIRA Server 5.*.*', 'Atlassian JIRA Server 6.*.*', 'Atlassian JIRA Server 7.0.*', 'Atlassian JIRA Server 7.1.*', 'Atlassian JIRA Server 7.2.*', 'Atlassian JIRA Server 7.3.*', 'Atlassian JIRA Server 7.4.*', 'Atlassian JIRA Server 7.5.*', 'Atlassian JIRA Server 7.7.*', 'Atlassian JIRA Server 7.8.*', 'Atlassian JIRA Server 7.9.*', 'Atlassian JIRA Server 7.10.*', 'Atlassian JIRA Server 7.11.*', 'Atlassian JIRA Server 7.12.*', 'Atlassian JIRA Server 7.6.*，<7.6.14', 'Atlassian JIRA Server 7.13.*，<7.13.5', 'Atlassian JIRA Server 8.0.*，<8.0.3', 'Atlassian JIRA Server 8.1.*，<8.1.2', 'Atlassian JIRA Server 8.2.*，<8.2.3', 'Atlassian Jira Data Center 4.4.*', 'Atlassian Jira Data Center 5.*.*', 'Atlassian Jira Data Center 6.*.*', 'Atlassian Jira Data Center 7.0.*', 'Atlassian Jira Data Center 7.1.*', 'Atlassian Jira Data Center 7.2.*', 'Atlassian Jira Data Center 7.3.*', 'Atlassian Jira Data Center 7.4.*', 'Atlassian Jira Data Center 7.5.*', 'Atlassian Jira Data Center 7.7.*', 'Atlassian Jira Data Center 7.8.*', 'Atlassian Jira Data Center 7.9.*', 'Atlassian Jira Data Center 7.10.*', 'Atlassian Jira Data Center 7.11.*', 'Atlassian Jira Data Center 7.12.*', 'Atlassian Jira Data Center 7.6.*，<7.6.14', 'Atlassian Jira Data Center 7.13.*，<7.13.5', 'Atlassian Jira Data Center 8.0.*，<8.0.3', 'Atlassian Jira Data Center 8.1.*，<8.1.2', 'Atlassian Jira Data Center 8.2.*，<8.2.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-11581"
    }
  },
  "description": "Atlassian JIRA\u662fAtlassian\u516c\u53f8\u51fa\u54c1\u7684\u9879\u76ee\u4e0e\u4e8b\u52a1\u8ddf\u8e2a\u5de5\u5177\u3002\n\nAtlassian JIRA\u5b58\u5728\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u8fd0\u884c\u6613\u53d7\u653b\u51fb\u7248\u672c\u7684Jira Server\u6216\u6570\u636e\u4e2d\u5fc3\u7684\u7cfb\u7edf\u4e0a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002",
  "discovererName": "Daniil Dmitriev",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-22482",
  "openTime": "2019-07-15",
  "patchDescription": "Atlassian JIRA\u662fAtlassian\u516c\u53f8\u51fa\u54c1\u7684\u9879\u76ee\u4e0e\u4e8b\u52a1\u8ddf\u8e2a\u5de5\u5177\u3002\r\n\r\nAtlassian JIRA\u5b58\u5728\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u8fd0\u884c\u6613\u53d7\u653b\u51fb\u7248\u672c\u7684Jira Server\u6216\u6570\u636e\u4e2d\u5fc3\u7684\u7cfb\u7edf\u4e0a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian JIRA\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian JIRA Server 4.4.*",
      "Atlassian JIRA Server 5.*.*",
      "Atlassian JIRA Server 6.*.*",
      "Atlassian JIRA Server 7.0.*",
      "Atlassian JIRA Server 7.1.*",
      "Atlassian JIRA Server 7.2.*",
      "Atlassian JIRA Server 7.3.*",
      "Atlassian JIRA Server 7.4.*",
      "Atlassian JIRA Server 7.5.*",
      "Atlassian JIRA Server 7.7.*",
      "Atlassian JIRA Server 7.8.*",
      "Atlassian JIRA Server 7.9.*",
      "Atlassian JIRA Server 7.10.*",
      "Atlassian JIRA Server 7.11.*",
      "Atlassian JIRA Server 7.12.*",
      "Atlassian JIRA Server 7.6.*\uff0c\u003c7.6.14",
      "Atlassian JIRA Server 7.13.*\uff0c\u003c7.13.5",
      "Atlassian JIRA Server 8.0.*\uff0c\u003c8.0.3",
      "Atlassian JIRA Server 8.1.*\uff0c\u003c8.1.2",
      "Atlassian JIRA Server 8.2.*\uff0c\u003c8.2.3",
      "Atlassian Jira Data Center 4.4.*",
      "Atlassian Jira Data Center 5.*.*",
      "Atlassian Jira Data Center 6.*.*",
      "Atlassian Jira Data Center 7.0.*",
      "Atlassian Jira Data Center 7.1.*",
      "Atlassian Jira Data Center 7.2.*",
      "Atlassian Jira Data Center 7.3.*",
      "Atlassian Jira Data Center 7.4.*",
      "Atlassian Jira Data Center 7.5.*",
      "Atlassian Jira Data Center 7.7.*",
      "Atlassian Jira Data Center 7.8.*",
      "Atlassian Jira Data Center 7.9.*",
      "Atlassian Jira Data Center 7.10.*",
      "Atlassian Jira Data Center 7.11.*",
      "Atlassian Jira Data Center 7.12.*",
      "Atlassian Jira Data Center 7.6.*\uff0c\u003c7.6.14",
      "Atlassian Jira Data Center 7.13.*\uff0c\u003c7.13.5",
      "Atlassian Jira Data Center 8.0.*\uff0c\u003c8.0.3",
      "Atlassian Jira Data Center 8.1.*\uff0c\u003c8.1.2",
      "Atlassian Jira Data Center 8.2.*\uff0c\u003c8.2.3"
    ]
  },
  "referenceLink": "https://www.atlassian.com/software/jira\r\nhttps://www.seebug.org/vuldb/ssvid-98021",
  "serverity": "\u9ad8",
  "submitTime": "2019-07-12",
  "title": "Atlassian JIRA\u6a21\u677f\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2019-11581 (GCVE-0-2019-11581)

Vulnerability from cvelistv5

Published

2019-08-09 19:30

Modified

2025-10-21 23:45

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Template injection

Summary

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

References

URL

Tags

https://jira.atlassian.com/browse/JRASERVER-69532

x_refsource_MISC