Atlassian JIRA Server/Data Center up to 8.4.0 Jira Importers Plugin PUT Request injection

Summaryinfo

A vulnerability identified as critical has been detected in Atlassian JIRA Server and Data Center up to 8.4.0. This impacts an unknown function of the component Jira Importers Plugin. This manipulation as part of PUT Request causes injection. This vulnerability is tracked as CVE-2019-15001. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability has been found in Atlassian JIRA Server and Data Center up to 8.4.0 (Bug Tracking Software) and classified as critical. Affected by this vulnerability is some unknown functionality of the component Jira Importers Plugin. The manipulation as part of a PUT Request leads to a injection vulnerability. The CWE definition for the vulnerability is CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.

The weakness was disclosed 09/19/2019 (Website). The advisory is shared at seclists.org. This vulnerability is known as CVE-2019-15001 since 08/13/2019. The exploitation appears to be easy. The attack can be launched remotely. A single authentication is required for exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1055 for this issue.

Upgrading to version 7.0.11, 7.13.8, 8.1.3, 8.2.5, 8.3.4 or 8.4.1 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Bug Tracking Software

Vendor

• Atlassian

Name

• Data Center
• JIRA Server

Version

• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.13.0
• 7.13.1
• 7.13.2
• 7.13.3
• 7.13.4
• 7.13.5
• 7.13.6
• 7.13.7
• 8.0
• 8.1
• 8.1.0
• 8.1.1
• 8.1.2
• 8.2
• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.2.4
• 8.3
• 8.3.0
• 8.3.1
• 8.3.2
• 8.3.3
• 8.4.0

License

• free

Website

• Vendor: https://www.atlassian.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion