Long-hidden server-side template injection bug unearthed
Atlassian has patched a critical vulnerability in Jira Server that could impact users of the eponymous, developer-favorite workflow software.
The vulnerability (CVE-2019-11581) in the bug-tracking and project management software creates a means for an attacker to remotely execute code on systems running vulnerable versions of either Jira Server or Data Center.
The security bug was introduced in version 4.4.0 of Jira Server and Jira Data Center, released back in 2011.
The difficulty of exploiting the server-side template injection (SSTI) vulnerability is partially dependent on systems configuration.
Where an SMTP server has been configured in Jira and the Contact Administrators Form is enabled, an attacker would be able to exploit this issue without authentication.
The vulnerability is also exploitable in cases where an SMTP server has been configured in Jira and an attacker has Jira administrator access.
Either case clears the way for an attacker to push malicious code onto systems that run a vulnerable version of Jira Server or Data Center.
Atlassian credits Ukrainian security researcher Daniil Dmitriev with discovering the security bug.
An advisory from the company offers patching advice and suggested workarounds for those unable to apply an immediate update.