Urgent: Critical Vulnerability Found in Jira Products

On Wednesday September 18, 2019, Atlassian announced a critical “template injection vulnerability” in the Jira Importers Plugin that is included with the distribution of Jira and Jira Data Center. In certain cases, this vulnerability allows a remote user with “Jira Administrator” permission to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

Note: This includes Jira Software, Jira Core Server, and Jira Service Desk and their Data Center counterparts.

What you need to know…

  • Jira Versions affected:
    • 7.0.10 -7.6.15
    • 7.7.0 – 7.13.7
    • 8.0.0 – 8.1.2
    • 8.2.0 – 8.2.4
    • 8.3.0 8.3.3
    • 8.4.0
  • Jira Versions already fixed:
    • 7.6.16
    • 7.13.8
    • 8.1.3
    • 8.2.5
    • 8.3.4
    • 8.4.1
  • Location and description of vulnerability: This vulnerability allows an attacker with login access and “Jira Administrator” permission to execute commands on the server that runs Jira.
  • Recommended action: Implement the short term workaround immediately and upgrade to a non-vulnerable version as soon as possible.
  • Short-term workaround: If you can’t upgrade immediately, we recommend that you do the following as a workaround until an upgrade can be performed:
    1. Block PUT access to the /rest/jira-importers-plugin/1.0/demo/create REST API method
    2. Do not disable the Jira Importers Plugin

Need help with this?

Give us a call. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

References:
Atlassian Bug
CVE Article