CVE-2019-15001

HIGH

Atlassian Jira Server/Data Center RCE via Template Injection (7.0.10-8.4.0)

Title source: llm

Description

The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.

References (3)

Core 3

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/Sep/42

Release Notes, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-69933

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html

Scores

CVSS v3 7.2

EPSS 0.1151

EPSS Percentile 93.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (4)

atlassian/jira_data_center 8.4.0

atlassian/jira_data_center 7.0.10 - 7.6.16

atlassian/jira_server 8.4.0

atlassian/jira_server 7.0.10 - 7.6.16

Published Sep 19, 2019

Tracked Since Feb 18, 2026