CVE-2019-11581

9.8

CVSS
Critical

PUBLISHED

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions....

Exploited in the wild Remote Low complexity No user interaction

Vendor: Atlassian
Product: Jira Server and Data Center
Published: Aug 09, 2019
EPSS: —

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

cisa nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 9.3

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitation status

Exploited in the wild

Recorded 2022-03-07 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: Yes
Technical impact: total

References

https://jira.atlassian.com/browse/JRASERVER-69532

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Mar 07, 2022

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-11581.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

PetrusViet/CVE-2019-11581

github · Created 2021-05-04 06:30:47 UTC · 6 stars

Atlassian Jira unauthen template injection

kobs0N/CVE-2019-11581

github · Created 2019-07-25 05:29:23 UTC · 10 stars

CVE-2019–11581 PoC

jas502n/CVE-2019-11581

github · Created 2019-07-16 02:27:00 UTC · 93 stars

Atlassian JIRA Template injection vulnerability RCE

Vulnerability detail