Atlassian issued a security update for a critical Jira Server vulnerability.
According to Atlassian, a server-side template injection vulnerability CVE-2019-11581 affects Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions.
The company confirmed an attacker can exploit this vulnerability if any of the following conditions are met:
- An SMTP server has been configured in Jira and the Contact Administrators Form is enabled OR
- An SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.
Atlassian also said the critical severity security vulnerability was introduced in version 4.4.0 of Jira Server & Jira Data Center. See the advisory for details on multiple Jira versions impacted and instructions on how to upgrade to fix the vulnerability.
However, Jira Cloud is not affected. Also, Customers who have upgraded Jira Server & Jira Data Center to versions 7.6.14, 7.13.5, 8.0.3, 8.1.2 or 8.2.3 are also not affected.