CVE-2019-11581: Atlassian Jira未授权服务端模板注入漏洞

日期: 2025-09-01 | 影响软件: Atlassian Jira | POC: 已公开

漏洞描述

Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability. Shodan: http.component:"Atlassian Jira" Fofa: title="Atlassian Jira"

PoC代码[已公开]

id: CVE-2019-11581

info:
  name: Atlassian Jira未授权服务端模板注入漏洞
  author: zan8in
  severity: critical
  verified: true
  description: |-
    Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
    Shodan: http.component:"Atlassian Jira"
    Fofa: title="Atlassian Jira"
  affected: |-
    4.4.x
    5.x.x
    6.x.x
    7.0.x
    7.1.x
    7.2.x
    7.3.x
    7.4.x
    7.5.x
    7.6.x < 7.6.14
    7.7.x
    7.8.x
    7.9.x
    7.10.x
    7.11.x
    7.12.x
    7.13.x < 7.13.5
    8.0.x < 8.0.3
    8.1.x < 8.1.2
    8.2.x < 8.2.3
  reference:
    - https://mp.weixin.qq.com/s/d2yvSyRZXpZrPcAkMqArsw
    - https://github.com/jas502n/CVE-2019-11581
    - https://jira.atlassian.com/browse/JRASERVER-69532
    - https://nvd.nist.gov/vuln/detail/CVE-2019-11581
    - https://github.com/0x48piraj/jiraffe
    - https://github.com/bakery312/Vulhub-Reproduce
  tags: cve,cve2019,atlassian,jira,ssti,rce
  created: 2024/02/25

rules:
  r0:
    request:
      method: GET
      path: /secure/ContactAdministrators!default.jspa
    expression: |
      response.status == 200 &&
      response.body.ibcontains(b'Contact Site Administrators') &&
      response.body.ibcontains(b'has not yet configured this contact form') &&
      (
          "\\(v4\\.4\\.".bmatches(response.body) ||
          "\\(v5\\.".bmatches(response.body) ||
          "\\(v6\\.".bmatches(response.body) ||
          "\\(v7\\.[012345789]\\.".bmatches(response.body) ||
          "\\(v7\\.1[0-2]\\.".bmatches(response.body) ||
          "\\(v7\\.6\\.([0-9]|[1][0-3])".bmatches(response.body) ||
          "\\(v7\\.\\13\\.[0-4]".bmatches(response.body) ||
          "\\(v8\\.0\\.[0-2]".bmatches(response.body) ||
          "\\(v8\\.1\\.[0-1]".bmatches(response.body) ||
          "\\(v8\\.2\\.[0-2]".bmatches(response.body) 
      )
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2019/CVE-2019-11581.yaml

相关漏洞推荐