CVE-2019-11581

Published: Aug 9, 2019Modified: Oct 24, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Affected (5)

Products: Atlassian: Jira Server

Atlassian

1 product

Jira Server

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Atlassian Jira Server	From 4.4 to 7.6.14
Atlassian Jira Server	From 7.7.0 to 7.13.5
Atlassian Jira Server	From 8.0.0 to 8.0.3
Atlassian Jira Server	From 8.1.0 to 8.1.2
Atlassian Jira Server	From 8.2.0 to 8.2.3

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (3)

https://jira.atlassian.com/browse/JRASERVER-69532

Source: security@atlassian.com

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/JRASERVER-69532

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.