On Wednesday September 18, 2019, Atlassian announced a critical “template injection vulnerability” in the Jira Importers Plugin that is included with the distribution of Jira and Jira Data Center. In certain cases, this vulnerability allows a remote user with “Jira Administrator” permission to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.
Note: This includes Jira Software, Jira Core Server, and Jira Service Desk and their Data Center counterparts.
What you need to know…
- Jira Versions affected:
- 7.0.10 -7.6.15
- 7.7.0 – 7.13.7
- 8.0.0 – 8.1.2
- 8.2.0 – 8.2.4
- 8.3.0 8.3.3
- Jira Versions already fixed:
- Location and description of vulnerability: This vulnerability allows an attacker with login access and “Jira Administrator” permission to execute commands on the server that runs Jira.
- Recommended action: Implement the short term workaround immediately and upgrade to a non-vulnerable version as soon as possible.
- Short-term workaround: If you can’t upgrade immediately, we recommend that you do the following as a workaround until an upgrade can be performed:
PUTaccess to the
/rest/jira-importers-plugin/1.0/demo/createREST API method
- Do not disable the Jira Importers Plugin
Need help with this?
Give us a call. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.