CVE-2019-11581

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions....

Basic Information

CVE State: PUBLISHED
Reserved Date: April 29, 2019
Published Date: August 09, 2019
Last Updated: February 07, 2025
Vendor: Atlassian
Product: Jira Server and Data Center
Description: There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-03-07 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-05-04 06:30:47 UTC) Source

References

https://jira.atlassian.com/browse/JRASERVER-69532

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-03-07 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-11581.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

PetrusViet/CVE-2019-11581

Type: github • Created: 2021-05-04 06:30:47 UTC • Stars: 6

Atlassian Jira unauthen template injection

kobs0N/CVE-2019-11581

Type: github • Created: 2019-07-25 05:29:23 UTC • Stars: 10

CVE-2019–11581 PoC

jas502n/CVE-2019-11581

Type: github • Created: 2019-07-16 02:27:00 UTC • Stars: 93

Atlassian JIRA Template injection vulnerability RCE