cve-2019-15001
Vulnerability from cvelistv5
Published
2019-09-19 14:28
Modified
2024-09-16 23:55
Severity
Summary
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.
References
Source | URL | Tags |
---|---|---|
security@atlassian.com | http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html | Third Party Advisory, VDB Entry |
security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-69933 | Release Notes, Vendor Advisory |
security@atlassian.com | https://seclists.org/bugtraq/2019/Sep/42 | Mailing List, Third Party Advisory |
Impacted products
Vendor | Product |
---|---|
Atlassian | Jira Server |
Atlassian | Jira Data Center |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:34:52.905Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Sep/42" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://jira.atlassian.com/browse/JRASERVER-69933" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Jira Server", "vendor": "Atlassian", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "7.0.10", "versionType": "custom" }, { "lessThan": "7.6.16", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "7.7.0", "versionType": "custom" }, { "lessThan": "7.13.8", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom" }, { "lessThan": "8.1.3", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.2.0", "versionType": "custom" }, { "lessThan": "8.2.5", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.3.0", "versionType": "custom" }, { "lessThan": "8.3.4", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.4.0", "versionType": "custom" }, { "lessThan": "8.4.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] }, { "product": "Jira Data Center", "vendor": "Atlassian", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "7.0.10", "versionType": "custom" }, { "lessThan": "7.6.16", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "7.7.0", "versionType": "custom" }, { "lessThan": "7.13.8", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom" }, { "lessThan": "8.1.3", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.2.0", "versionType": "custom" }, { "lessThan": "8.2.5", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.3.0", "versionType": "custom" }, { "lessThan": "8.3.4", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "8.4.0", "versionType": "custom" }, { "lessThan": "8.4.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "datePublic": "2018-09-18T00:00:00", "descriptions": [ { "lang": "en", "value": "The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request." } ], "problemTypes": [ { "descriptions": [ { "description": "Template injection", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-16T14:01:18", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian" }, "references": [ { "name": "20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Sep/42" }, { "tags": [ "x_refsource_MISC" ], "url": "https://jira.atlassian.com/browse/JRASERVER-69933" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2018-09-18T00:00:00", "ID": "CVE-2019-15001", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jira Server", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "7.0.10" }, { "version_affected": "\u003c", "version_value": "7.6.16" }, { "version_affected": "\u003e=", "version_value": "7.7.0" }, { "version_affected": "\u003c", "version_value": "7.13.8" }, { "version_affected": "\u003e=", "version_value": "8.0.0" }, { "version_affected": "\u003c", "version_value": "8.1.3" }, { "version_affected": "\u003e=", "version_value": "8.2.0" }, { "version_affected": "\u003c", "version_value": "8.2.5" }, { "version_affected": "\u003e=", "version_value": "8.3.0" }, { "version_affected": "\u003c", "version_value": "8.3.4" }, { "version_affected": "\u003e=", "version_value": "8.4.0" }, { "version_affected": "\u003c", "version_value": "8.4.1" } ] } }, { "product_name": "Jira Data Center", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "7.0.10" }, { "version_affected": "\u003c", "version_value": "7.6.16" }, { "version_affected": "\u003e=", "version_value": "7.7.0" }, { "version_affected": "\u003c", "version_value": "7.13.8" }, { "version_affected": "\u003e=", "version_value": "8.0.0" }, { "version_affected": "\u003c", "version_value": "8.1.3" }, { "version_affected": "\u003e=", "version_value": "8.2.0" }, { "version_affected": "\u003c", "version_value": "8.2.5" }, { "version_affected": "\u003e=", "version_value": "8.3.0" }, { "version_affected": "\u003c", "version_value": "8.3.4" }, { "version_affected": "\u003e=", "version_value": "8.4.0" }, { "version_affected": "\u003c", "version_value": "8.4.1" } ] } } ] }, "vendor_name": "Atlassian" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Template injection" } ] } ] }, "references": { "reference_data": [ { "name": "20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Sep/42" }, { "name": "https://jira.atlassian.com/browse/JRASERVER-69933", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/JRASERVER-69933" }, { "name": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2019-15001", "datePublished": "2019-09-19T14:28:36.566766Z", "dateReserved": "2019-08-13T00:00:00", "dateUpdated": "2024-09-16T23:55:54.513Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-15001\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2019-09-19T15:15:15.500\",\"lastModified\":\"2022-04-22T19:53:31.783\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.\"},{\"lang\":\"es\",\"value\":\"El plugin Jira Importers en Atlassian Jira Server y Data Cente desde la versi\u00f3n 7.0.10 anterior a 7.6.16, desde 7.7.0 anterior a 7.13.8, desde 8.0.0 anterior a 8.1.3, desde 8.2.0 anterior a 8.2.5, desde 8.3.0 anterior a 8.3.4 y desde 8.4.0 anteriores a 8.4.1, permite a atacantes remotos con permisos de Administrador conseguir la ejecuci\u00f3n de c\u00f3digo remota por medio de una vulnerabilidad de inyecci\u00f3n de plantilla mediante el uso de una petici\u00f3n PUT dise\u00f1ada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":9.0},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.10\",\"versionEndExcluding\":\"7.6.16\",\"matchCriteriaId\":\"27645527-F779-4D88-A5DC-3889826057F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.7.0\",\"versionEndExcluding\":\"7.13.8\",\"matchCriteriaId\":\"C5713AA6-6A8E-4047-A2BB-F3DD86F4027F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.1.3\",\"matchCriteriaId\":\"619C9169-030E-4DFA-980B-579C7BEE92EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndExcluding\":\"8.2.5\",\"matchCriteriaId\":\"19D84658-E0FE-46A1-8632-E82A617B424C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.3.0\",\"versionEndExcluding\":\"8.3.4\",\"matchCriteriaId\":\"9CCF9D19-3053-4B57-AE4F-462F26CB7488\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:8.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D45212C3-E178-40D9-B3EF-2738A879A345\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.10\",\"versionEndExcluding\":\"7.6.16\",\"matchCriteriaId\":\"1099688C-6260-4216-83C9-29ED1347FC9C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.7.0\",\"versionEndExcluding\":\"7.13.8\",\"matchCriteriaId\":\"03E27B59-BCEA-433E-94AF-81125454834F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.1.3\",\"matchCriteriaId\":\"0AE27B6F-A8A0-4083-8F80-60D3AD0DBAB5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndExcluding\":\"8.2.5\",\"matchCriteriaId\":\"221A13F3-D7C3-4F70-B6C6-375B77153C6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.3.0\",\"versionEndExcluding\":\"8.3.4\",\"matchCriteriaId\":\"A0D36CAF-2183-4989-BB31-6EFA15AD6372\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:8.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"93D2C7F2-FA9A-471B-8B98-F4089E68ABA7\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html\",\"source\":\"security@atlassian.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-69933\",\"source\":\"security@atlassian.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/42\",\"source\":\"security@atlassian.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}" } }
Loading...