CVE-2019-20409

CRITICAL

Atlassian Jira < 8.8.0 - Remote Code Execution via Velocity Template Injection

Title source: llm

Description

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attackers to gain remote code execution if they were able to exploit a server side template injection vulnerability.

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-70944

Scores

CVSS v3 9.8

EPSS 0.0274

EPSS Percentile 86.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (2)

atlassian/jira < 8.8.0

atlassian/jira_software_data_center < 8.8.0

Published Jun 23, 2020

Tracked Since Feb 18, 2026