Atlassian issued a critical security advisory for several programs used in conjunction with the company’s Jira server and Data Center products.
The vulnerability, CVE-2019-11581, affects Jira Software, Jira Core, and Jira Service Desk, however, Jira Cloud customers are not affected. The server-side template injection vulnerability was introduced in version 4.4.0 of Jira Server and Data Center.
The company said for the issue to be exploited either an SMTP server has been configured in Jira and the Contact Administrators Form be enabled; or an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.
“In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center,” the alert stated.