## Jira Server - Template injection in Jira Importers Plugin - CVE-2019-15001
| Summary | CVE-2019-15001 - Template injection in Jira Importers Plugin |
| ------------------------------------------------ | ------------------------------------------------------------ |
| Advisory Release Date | 18 Sep 2019 10:00 AM PDT (Pacific Time, -7 hours) |
| Product | Jira Server & Jira Data Center**Note:** This includes Jira Software, Jira Core, and Jira Service Desk.Jira Cloud customers are not affected.Versions listed are for Jira Core and Jira Software. **Check the compatibility matrix** to find the equivalent version for your Jira Service Desk version. |
| Affected Jira Server & Jira Data Center Versions | starting with 7.0.107.1.x7.2.x7.3.x7.4.x7.5.x7.6.x before 7.6.16 (the fixed version for 7.6.x)7.7.x7.8.x7.9.x7.10.x7.11.x7.12.x7.13.x before 7.13.8 (the fixed version for 7.13.x)8.0.x 8.1.x before 8.1.3 (the fixed version for 8.1.x)8.2.x before 8.2.5 (the fixed version for 8.2.x)8.3.x before 8.3.4 (the fixed version for 8.3.x)8.4.0 [Click here to expand...](https://confluence.atlassian.com/jira/jira-security-advisory-2019-09-18-976766250.html#) |
| Fixed Jira Server & Jira Data Center Versions | 7.6.167.13.88.1.38.2.58.3.48.4.1 |
| CVE ID(s) | CVE-2019-15001 |
### **Summary of Vulnerability**
This advisory discloses a **critical severity** security vulnerability which was introduced in version 7.0.10 of Jira Server & Jira Data Center. Versions of Jira Server & Jira Data Center affected by this vulnerability:
- from 7.0.10 before 7.6.16 (fixed in 7.6.16)
- from 7.7.0 before 7.13.8 (fixed in 7.13.8)
- from 8.0.0 before 8.1.3 (fixed in 8.1.3)
- from 8.2.0 before 8.2.5 (fixed in 8.2.5)
- from 8.3.0 before 8.3.4 (fixed in 8.3.4)
- from 8.4.0 before 8.4.1 (fixed in 8.4.1)
**Atlassian Cloud** instances have **already been upgraded** to a version of Jira which does **not** have the issue described on this page.
**Customers who are on any of the affected versions listed above, upgrade your Jira Server & Jira Data Center installations immediately to fix this vulnerability.**
## Template injection in Jira Importers Plugin
#### **Severity**
Atlassian rates the severity level of this vulnerability as **critical**, according to the scale published in [our Atlassian severity levels](https://www.atlassian.com/security/security-severity-levels). The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
#### **Description**
There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Versions of Jira Server & Jira Data Center starting with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8 (the fixed version for 7.13.x), from 8.1.0 before 8.1.3 (the fixed version for 8.1.x), from 8.2.0 before 8.2.5 (the fixed version for 8.2.x), and from 8.3.0 before 8.3.4 (the fixed version for 8.3.x) , and from 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.
This issue can be tracked here: [![img](https://jira.atlassian.com/secure/viewavatar?size=xsmall&avatarId=51493&avatarType=issuetype)JRASERVER-69933](https://jira.atlassian.com/browse/JRASERVER-69933) - Template injection in Jira importers plugin - CVE-2019-15001 CLOSED
#### Acknowledgements
We would like to acknowledge [Daniil Dmitriev](https://twitter.com/ddv_ua) for finding this vulnerability.
### **Fix**
We have released the following versions of Jira Server & Jira Data Center to address this issue:
1. 8.4.1 which is available for download from <https://www.atlassian.com/software/jira/core/download>
2. 8.3.4 which is available for download from <https://www.atlassian.com/software/jira/core/update>
3. 8.2.5 which is available for download from <https://www.atlassian.com/software/jira/core/update>
4. 8.1.3 which is available for download from <https://www.atlassian.com/software/jira/core/update>
5. 7.13.8 which is available for download from <https://www.atlassian.com/software/jira/core/update>
6. 7.6.16 which is available for download from <https://www.atlassian.com/software/jira/core/update>
We have released the following versions of Jira Software Server to address this issue:
1. 8.4.1 which is available for download from <https://www.atlassian.com/software/jira/download>
2. 8.3.4 which is available for download from <https://www.atlassian.com/software/jira/update>
3. 8.2.5 which is available for download from <https://www.atlassian.com/software/jira/update>
4. 8.1.3 which is available for download from <https://www.atlassian.com/software/jira/update>
5. 7.13.8 which is available for download from <https://www.atlassian.com/software/jira/update>
6. 7.6.16 which is available for download from <https://www.atlassian.com/software/jira/update>
## **What You Need to Do**
### **Mitigation**
If you are unable to upgrade Jira immediately or are in the process of [migrating to Jira Cloud](https://www.atlassian.com/cloud-migration), then as a **temporary workaround**, you can block PUT request to the following endpoint:
- /rest/jira-importers-plugin/1.0/demo/create
Please see the following **KB article** with examples on how to perform this, selecting one of the workarounds.
After upgrading JIRA to a fixed version, you can unblock the endpoint.
Do not disable the Jira Importers Plugin.
### **Upgrading Jira**
Atlassian recommends that you [upgrade to the latest version](https://confluence.atlassian.com/adminjiraserver/upgrading-jira-applications-938846936.html). For a full description of the latest version of Jira Server & Jira Data Center, see the[ release notes](https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html). You can download the latest version of Jira Server & Jira Data Center from the [download center](https://www.atlassian.com/software/jira/core/download?_ga=2.118793998.600940095.1567374810-457156416.1516169298).
**Upgrade Jira Server & Jira Data Center to version of 8.4.1 or higher.**
### **If you can't upgrade to the latest version (8.4.1):**
(1) If you have a **current feature version** (a feature version released on 10 December 2018 or later), upgrade to the **next bugfix version of your current feature version**.
| If you have feature version… | …then upgrade to this bugfix version: |
| ---------------------------- | ------------------------------------- |
| 8.0.x | 8.1.3 |
| 8.1.x | 8.1.3 |
| 8.2.x | 8.2.5 |
| 8.3.x | 8.3.4 |
| 8.4.x | 8.4.1 |
(2) If you have a current **Enterprise release version** (an Enterprise release version released on 10th July 2017 or later), **upgrade to the latest Enterprise release version (7.13.8).**
| **If you have Enterprise release version…** | **…then upgrade to this version:** |
| ------------------------------------------- | ---------------------------------- |
| 7.6.x | 7.6.16, **7.13.8 (recommended)** |
| 7.13.x | 7.13.8 |
(3) If you have an **older version** (a feature version released before 10 December 2018, or an [Enterprise release](https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html) version released before 10th July 2017), either upgrade to the **latest version**, or to the **latest Enterprise release version (7.13.8)**.
| **If you have an older version…** | **…then upgrade to any of these versions:** |
| ------------------------------------------------------------ | ------------------------------------------------------------ |
| 7.0.x7.1.x7.2.x7.3.x7.4.x7.5.x7.7.x7.8.x7.9.x7.10.x7.11.x7.12.x | **Current versions**8.1.38.2.58.3.48.4.1**Enterprise releases**7.6.167.13.8 |
### **Support**
If you did not receive an email for this advisory and you wish to receive such emails in the future go to <https://my.atlassian.com/email> and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at <https://support.atlassian.com/>.
### **References**
| [Security Bug fix Policy](https://www.atlassian.com/security/secpol) | As per our new policy critical security bug fixes will be back ported in accordance with <https://www.atlassian.com/trust/security/bug-fix-policy>. We will release new maintenance releases for the versions covered by the policy instead of binary patches.**Binary patches are no longer released.** |
| ------------------------------------------------------------ | ------------------------------------------------------------ |
| [Severity Levels for security issues](https://www.atlassian.com/security/security-severity-levels) | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at [FIRST.org](https://www.first.org/cvss/user-guide). |
| [End of Life Policy](https://confluence.atlassian.com/support/atlassian-support-end-of-life-policy-201851003.html) | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |
暂无评论