CIS Logo
tagline: Confidence in the Connected World

A Vulnerability in Jira Server Could Allow for Server-Side Template Injection

MS-ISAC ADVISORY NUMBER:

2019-072

DATE(S) ISSUED:

07/11/2019

OVERVIEW:

A vulnerability has been discovered in JIRA Servers & Data Centers, which can allow for server template injection. JIRA is tool designed for bug tracking, tracking related issues and project management. Successful exploitation of this vulnerability will enable command injection to the vulnerable server. Depending on the privileges associated with the user running the Jira application service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There is a publicly available exploit for this vulnerability.

SYSTEMS AFFECTED:

  • JIRA Servers & Data Centers 7.x versions prior to 7.6.14 and 7.13.5
  • JIRA Servers & Data Centers 8.0.x versions prior to 8.0.3
  • JIRA Servers & Data Centers 8.1.x versions prior to 8.1.2
  • JIRA Servers & Data Centers 8.2.x versions prior to 8.2.3

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in JIRA Servers & Data Centers, which can allow for server template injection. This vulnerability occurs when an SMTP server has been configured in Jira and a malicious user has access to either the “Contact Administrators Form” or has “JIRA Administrators” access. If an attacker has administrator access, they can exploit this vulnerability via Velocity Templates. This vulnerability exists due to improper input validation within the subject field. When an attacker sends a specially crafted payload to the subject field within the “Contact Administrators Form” or the Velocity template, the desired command injected will be executed in the context of the server. Successful exploitation of this vulnerability will enable command injection to the vulnerable server.

Successful exploitation of this vulnerability will enable command injection to the vulnerable server. Depending on the privileges associated with the user running the Jira application service, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Jira to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0

Pencil Blog post 18 Jul 2019
CONTROL: 4 --- ADVISORY CONTROL: 0