CyberSec.Space Logo
Back to CVE Browser

CVE-2019-11581

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score41.8400%
EPSS Percentile87.44th
PublishedAug 9, 2019
Last ModifiedOct 24, 2025

Vulnerability Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Jira Server

>= 4.4 and < 7.6.14
πŸ“¦
Atlassian

Jira Server

>= 7.7.0 and < 7.13.5
πŸ“¦
Atlassian

Jira Server

>= 8.0.0 and < 8.0.3
πŸ“¦
Atlassian

Jira Server

>= 8.1.0 and < 8.1.2
πŸ“¦
Atlassian

Jira Server

>= 8.2.0 and < 8.2.3

References & Advisories

πŸ”— https://jira.atlassian.com/browse/JRASERVER-69532
πŸ”— https://jira.atlassian.com/browse/JRASERVER-69532
πŸ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11581

Related Vulnerabilities

CVE-2017-59839.8

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allo...

CVE-2020-141729.8

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has b...

CVE-2019-204099.8

The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.0 allowed remote attac...

CVE-2021-260688.8

An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute ...