CVE-2019-11581 Atlassian Jira Unauthorized Template Injection Vulnerability


Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management. It runs on a bundled Apache Tomcat application server and accessible via HTTP over port 8080/TCP or HTTPS over port 8443/TCP.

Vulnerability Description: 
CVE-2019-11581 is a server-side template injection vulnerability in Jira Server and Data Center, in the “ContactAdministrators” and the “SendBulkMail” actions. For this issue to be exploitable at least one of the following conditions must be met:

  • an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
  • an SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.

In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with “JIRA Administrators” access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

Vulnerability Details:

The template injection vulnerabilities are due to insufficient sanitization of parameters used to build portions of templates used to send outgoing emails.  When constructing an email to send to administrators, the subject line is directly passed in as a template and is not sanitized, providing the opportunity for code execution. A remote unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the Contact Administrators form. Similarly a remote user with administrator access can exploit this vulnerability by submitting a crafted request to the Send Bulk Mail functionality. Successful exploitation results in the execution of arbitrary code in the  context of the Jira server.
Fig: Jira web page when Contact Administrators Form is enabled
Jira login page allows unauthorized users to contact administrators if “ContactAdministrators” Form is enabled. In the vulnerable versions, the input entered into the subject line is directly passed without proper sanitization, leading to arbitrary code execution.
Fig: Vulnerable Contact Form

If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:

  1. Disable the Contact Administrators Form
  2. Block access to the endpoint /secure/admin/SendBulkMail!default.jspa

Atlassian has released the latest versions of Jira Server & Jira Data Center to address this issue. it’s advisory can be found here:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:
IPS: 14330 Atlassian JIRA Template Injection 1
IPS: 14331 Atlassian JIRA Template Injection 2
WAF: 1719 Atlassian JIRA Template Injection Code Execution
WAF: 1681 EXEC Statement (Possible SQL Injection)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.