CVE-2019-11581

CRITICAL KEV NUCLEI

Jira Server/Data Center <7.6.14, <7.13.5, <8.0.3, <8.1.2, <8.2.3 - RCE

Title source: llm

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Exploits (4)

nomisec WRITEUP 92 stars

by jas502n · remote

https://github.com/jas502n/CVE-2019-11581

View Code ZIP pw:eip

nomisec WORKING POC 10 stars

by kobs0N · remote

https://github.com/kobs0N/CVE-2019-11581

View Code ZIP pw:eip

nomisec WRITEUP 6 stars

by PetrusViet · remote

https://github.com/PetrusViet/CVE-2019-11581

View Code ZIP pw:eip

vulncheck_xdb WORKING POC

remote

https://github.com/r0hack/RCE-in-Jira

View Code ZIP pw:eip

Nuclei Templates (1)

Atlassian Jira Server-Side Template Injection

CRITICALby ree4pwn

Shodan:

http.component:"Atlassian Jira" || http.component:"atlassian jira" || http.component:"atlassian confluence" || cpe:"cpe:2.3:a:atlassian:jira"

References (2)

[Issue Tracking, Vendor Advisory] https://jira.atlassian.com/browse/JRASERVER-69532

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581

Scores

CVSS v3 9.8

EPSS 0.9435

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2022-03-07

VulnCheck KEV 2021-01-01

InTheWild.io 2022-03-07

ENISA EUVD EUVD-2019-3251

Classification

CWE

CWE-74

Status published

Affected Products (1)

atlassian/jira_server < 7.6.14

Timeline

Published Aug 09, 2019

KEV Added Mar 07, 2022

Tracked Since Feb 18, 2026