CVE-2019-15001 - Vulnerability Details

Vendors	Products
Atlassian	Jira Data Center Jira Server

Link	Providers
http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html
https://jira.atlassian.com/browse/JRASERVER-69933
https://seclists.org/bugtraq/2019/Sep/42

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Jira Server", "vendor": "Atlassian", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "7.0.10", "versionType": "custom"}, {"lessThan": "7.6.16", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.7.0", "versionType": "custom"}, {"lessThan": "7.13.8", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom"}, {"lessThan": "8.1.3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.2.0", "versionType": "custom"}, {"lessThan": "8.2.5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.3.0", "versionType": "custom"}, {"lessThan": "8.3.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.4.0", "versionType": "custom"}, {"lessThan": "8.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Jira Data Center", "vendor": "Atlassian", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "7.0.10", "versionType": "custom"}, {"lessThan": "7.6.16", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.7.0", "versionType": "custom"}, {"lessThan": "7.13.8", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom"}, {"lessThan": "8.1.3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.2.0", "versionType": "custom"}, {"lessThan": "8.2.5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.3.0", "versionType": "custom"}, {"lessThan": "8.3.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.4.0", "versionType": "custom"}, {"lessThan": "8.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2018-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request."}], "problemTypes": [{"descriptions": [{"description": "Template injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-16T14:01:18", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"name": "20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Sep/42"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/JRASERVER-69933"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2018-09-18T00:00:00", "ID": "CVE-2019-15001", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jira Server", "version": {"version_data": [{"version_affected": ">=", "version_value": "7.0.10"}, {"version_affected": "<", "version_value": "7.6.16"}, {"version_affected": ">=", "version_value": "7.7.0"}, {"version_affected": "<", "version_value": "7.13.8"}, {"version_affected": ">=", "version_value": "8.0.0"}, {"version_affected": "<", "version_value": "8.1.3"}, {"version_affected": ">=", "version_value": "8.2.0"}, {"version_affected": "<", "version_value": "8.2.5"}, {"version_affected": ">=", "version_value": "8.3.0"}, {"version_affected": "<", "version_value": "8.3.4"}, {"version_affected": ">=", "version_value": "8.4.0"}, {"version_affected": "<", "version_value": "8.4.1"}]}}, {"product_name": "Jira Data Center", "version": {"version_data": [{"version_affected": ">=", "version_value": "7.0.10"}, {"version_affected": "<", "version_value": "7.6.16"}, {"version_affected": ">=", "version_value": "7.7.0"}, {"version_affected": "<", "version_value": "7.13.8"}, {"version_affected": ">=", "version_value": "8.0.0"}, {"version_affected": "<", "version_value": "8.1.3"}, {"version_affected": ">=", "version_value": "8.2.0"}, {"version_affected": "<", "version_value": "8.2.5"}, {"version_affected": ">=", "version_value": "8.3.0"}, {"version_affected": "<", "version_value": "8.3.4"}, {"version_affected": ">=", "version_value": "8.4.0"}, {"version_affected": "<", "version_value": "8.4.1"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Template injection"}]}]}, "references": {"reference_data": [{"name": "20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Sep/42"}, {"name": "https://jira.atlassian.com/browse/JRASERVER-69933", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/JRASERVER-69933"}, {"name": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:34:52.905Z"}, "title": "CVE Program Container", "references": [{"name": "20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Sep/42"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/JRASERVER-69933"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html"}]}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2019-15001", "datePublished": "2019-09-19T14:28:36.566766Z", "dateReserved": "2019-08-13T00:00:00", "dateUpdated": "2024-09-16T23:55:54.513Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Jira Server (string)

vendor : Atlassian (string)

versions : [ »

0 : { »

lessThan : unspecified (string)

status : affected (string)

version : 7.0.10 (string)

versionType : custom (string)

}

1 : { »

lessThan : 7.6.16 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

2 : { »

lessThan : unspecified (string)

status : affected (string)

version : 7.7.0 (string)

versionType : custom (string)

}

3 : { »

lessThan : 7.13.8 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

4 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.0.0 (string)

versionType : custom (string)

}

5 : { »

lessThan : 8.1.3 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

6 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.2.0 (string)

versionType : custom (string)

}

7 : { »

lessThan : 8.2.5 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

8 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.3.0 (string)

versionType : custom (string)

}

9 : { »

lessThan : 8.3.4 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

10 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.4.0 (string)

versionType : custom (string)

}

11 : { »

lessThan : 8.4.1 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

1 : { »

product : Jira Data Center (string)

vendor : Atlassian (string)

versions : [ »

0 : { »

lessThan : unspecified (string)

status : affected (string)

version : 7.0.10 (string)

versionType : custom (string)

}

1 : { »

lessThan : 7.6.16 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

2 : { »

lessThan : unspecified (string)

status : affected (string)

version : 7.7.0 (string)

versionType : custom (string)

}

3 : { »

lessThan : 7.13.8 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

4 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.0.0 (string)

versionType : custom (string)

}

5 : { »

lessThan : 8.1.3 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

6 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.2.0 (string)

versionType : custom (string)

}

7 : { »

lessThan : 8.2.5 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

8 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.3.0 (string)

versionType : custom (string)

}

9 : { »

lessThan : 8.3.4 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

10 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.4.0 (string)

versionType : custom (string)

}

11 : { »

lessThan : 8.4.1 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

]

datePublic : 2018-09-18T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Template injection (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2020-07-16T14:01:18 (string)

orgId : f08a6ab8-ed46-4c22-8884-d911ccfe3c66 (string)

shortName : atlassian (string)

}

references : [ »

0 : { »

name : 20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_BUGTRAQ (string)

]

url : https://seclists.org/bugtraq/2019/Sep/42 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-69933 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@atlassian.com (string)

DATE_PUBLIC : 2018-09-18T00:00:00 (string)

ID : CVE-2019-15001 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Jira Server (string)

version : { »

version_data : [ »

0 : { »

version_affected : >= (string)

version_value : 7.0.10 (string)

}

1 : { »

version_affected : < (string)

version_value : 7.6.16 (string)

}

2 : { »

version_affected : >= (string)

version_value : 7.7.0 (string)

}

3 : { »

version_affected : < (string)

version_value : 7.13.8 (string)

}

4 : { »

version_affected : >= (string)

version_value : 8.0.0 (string)

}

5 : { »

version_affected : < (string)

version_value : 8.1.3 (string)

}

6 : { »

version_affected : >= (string)

version_value : 8.2.0 (string)

}

7 : { »

version_affected : < (string)

version_value : 8.2.5 (string)

}

8 : { »

version_affected : >= (string)

version_value : 8.3.0 (string)

}

9 : { »

version_affected : < (string)

version_value : 8.3.4 (string)

}

10 : { »

version_affected : >= (string)

version_value : 8.4.0 (string)

}

11 : { »

version_affected : < (string)

version_value : 8.4.1 (string)

}

]

}

1 : { »

product_name : Jira Data Center (string)

version : { »

version_data : [ »

0 : { »

version_affected : >= (string)

version_value : 7.0.10 (string)

}

1 : { »

version_affected : < (string)

version_value : 7.6.16 (string)

}

2 : { »

version_affected : >= (string)

version_value : 7.7.0 (string)

}

3 : { »

version_affected : < (string)

version_value : 7.13.8 (string)

}

4 : { »

version_affected : >= (string)

version_value : 8.0.0 (string)

}

5 : { »

version_affected : < (string)

version_value : 8.1.3 (string)

}

6 : { »

version_affected : >= (string)

version_value : 8.2.0 (string)

}

7 : { »

version_affected : < (string)

version_value : 8.2.5 (string)

}

8 : { »

version_affected : >= (string)

version_value : 8.3.0 (string)

}

9 : { »

version_affected : < (string)

version_value : 8.3.4 (string)

}

10 : { »

version_affected : >= (string)

version_value : 8.4.0 (string)

}

11 : { »

version_affected : < (string)

version_value : 8.4.1 (string)

}

]

}

]

}

vendor_name : Atlassian (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Template injection (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : 20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001 (string)

refsource : BUGTRAQ (string)

url : https://seclists.org/bugtraq/2019/Sep/42 (string)

}

1 : { »

name : https://jira.atlassian.com/browse/JRASERVER-69933 (string)

refsource : MISC (string)

url : https://jira.atlassian.com/browse/JRASERVER-69933 (string)

}

2 : { »

name : http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html (string)

refsource : MISC (string)

url : http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T00:34:52.905Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : 20190925 Jira Security Advisory - 2019-09-18 - CVE-2019-15001 (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_BUGTRAQ (string)

2 : x_transferred (string)

]

url : https://seclists.org/bugtraq/2019/Sep/42 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-69933 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : f08a6ab8-ed46-4c22-8884-d911ccfe3c66 (string)

assignerShortName : atlassian (string)

cveId : CVE-2019-15001 (string)

datePublished : 2019-09-19T14:28:36.566766Z (string)

dateReserved : 2019-08-13T00:00:00 (string)

dateUpdated : 2024-09-16T23:55:54.513Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "27645527-F779-4D88-A5DC-3889826057F8", "versionEndExcluding": "7.6.16", "versionStartIncluding": "7.0.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5713AA6-6A8E-4047-A2BB-F3DD86F4027F", "versionEndExcluding": "7.13.8", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "619C9169-030E-4DFA-980B-579C7BEE92EA", "versionEndExcluding": "8.1.3", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "19D84658-E0FE-46A1-8632-E82A617B424C", "versionEndExcluding": "8.2.5", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CCF9D19-3053-4B57-AE4F-462F26CB7488", "versionEndExcluding": "8.3.4", "versionStartIncluding": "8.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:8.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D45212C3-E178-40D9-B3EF-2738A879A345", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "1099688C-6260-4216-83C9-29ED1347FC9C", "versionEndExcluding": "7.6.16", "versionStartIncluding": "7.0.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "03E27B59-BCEA-433E-94AF-81125454834F", "versionEndExcluding": "7.13.8", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AE27B6F-A8A0-4083-8F80-60D3AD0DBAB5", "versionEndExcluding": "8.1.3", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "221A13F3-D7C3-4F70-B6C6-375B77153C6E", "versionEndExcluding": "8.2.5", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0D36CAF-2183-4989-BB31-6EFA15AD6372", "versionEndExcluding": "8.3.4", "versionStartIncluding": "8.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:8.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "93D2C7F2-FA9A-471B-8B98-F4089E68ABA7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request."}, {"lang": "es", "value": "El plugin Jira Importers en Atlassian Jira Server y Data Cente desde la versi\u00f3n 7.0.10 anterior a 7.6.16, desde 7.7.0 anterior a 7.13.8, desde 8.0.0 anterior a 8.1.3, desde 8.2.0 anterior a 8.2.5, desde 8.3.0 anterior a 8.3.4 y desde 8.4.0 anteriores a 8.4.1, permite a atacantes remotos con permisos de Administrador conseguir la ejecuci\u00f3n de c\u00f3digo remota por medio de una vulnerabilidad de inyecci\u00f3n de plantilla mediante el uso de una petici\u00f3n PUT dise\u00f1ada"}], "id": "CVE-2019-15001", "lastModified": "2024-11-21T04:27:51.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-19T15:15:15.500", "references": [{"source": "security@atlassian.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html"}, {"source": "security@atlassian.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-69933"}, {"source": "security@atlassian.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Sep/42"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-69933"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Sep/42"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 27645527-F779-4D88-A5DC-3889826057F8 (string)

versionEndExcluding : 7.6.16 (string)

versionStartIncluding : 7.0.10 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* (string)

matchCriteriaId : C5713AA6-6A8E-4047-A2BB-F3DD86F4027F (string)

versionEndExcluding : 7.13.8 (string)

versionStartIncluding : 7.7.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 619C9169-030E-4DFA-980B-579C7BEE92EA (string)

versionEndExcluding : 8.1.3 (string)

versionStartIncluding : 8.0.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 19D84658-E0FE-46A1-8632-E82A617B424C (string)

versionEndExcluding : 8.2.5 (string)

versionStartIncluding : 8.2.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 9CCF9D19-3053-4B57-AE4F-462F26CB7488 (string)

versionEndExcluding : 8.3.4 (string)

versionStartIncluding : 8.3.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:atlassian:jira_server:8.4.0:*:*:*:*:*:*:* (string)

matchCriteriaId : D45212C3-E178-40D9-B3EF-2738A879A345 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

1 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 1099688C-6260-4216-83C9-29ED1347FC9C (string)

versionEndExcluding : 7.6.16 (string)

versionStartIncluding : 7.0.10 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 03E27B59-BCEA-433E-94AF-81125454834F (string)

versionEndExcluding : 7.13.8 (string)

versionStartIncluding : 7.7.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 0AE27B6F-A8A0-4083-8F80-60D3AD0DBAB5 (string)

versionEndExcluding : 8.1.3 (string)

versionStartIncluding : 8.0.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 221A13F3-D7C3-4F70-B6C6-375B77153C6E (string)

versionEndExcluding : 8.2.5 (string)

versionStartIncluding : 8.2.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : A0D36CAF-2183-4989-BB31-6EFA15AD6372 (string)

versionEndExcluding : 8.3.4 (string)

versionStartIncluding : 8.3.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:8.4.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 93D2C7F2-FA9A-471B-8B98-F4089E68ABA7 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request. (string)

}

1 : { »

lang : es (string)

value : El plugin Jira Importers en Atlassian Jira Server y Data Cente desde la versión 7.0.10 anterior a 7.6.16, desde 7.7.0 anterior a 7.13.8, desde 8.0.0 anterior a 8.1.3, desde 8.2.0 anterior a 8.2.5, desde 8.3.0 anterior a 8.3.4 y desde 8.4.0 anteriores a 8.4.1, permite a atacantes remotos con permisos de Administrador conseguir la ejecución de código remota por medio de una vulnerabilidad de inyección de plantilla mediante el uso de una petición PUT diseñada (string)

}

]

id : CVE-2019-15001 (string)

lastModified : 2024-11-21T04:27:51.093 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : HIGH (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : COMPLETE (string)

baseScore : 9 (number)

confidentialityImpact : COMPLETE (string)

integrityImpact : COMPLETE (string)

vectorString : AV:N/AC:L/Au:S/C:C/I:C/A:C (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 10 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.2 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 1.2 (number)

impactScore : 5.9 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2019-09-19T15:15:15.500 (string)

references : [ »

0 : { »

source : security@atlassian.com (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html (string)

}

1 : { »

source : security@atlassian.com (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-69933 (string)

}

2 : { »

source : security@atlassian.com (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : https://seclists.org/bugtraq/2019/Sep/42 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://packetstormsecurity.com/files/154611/Jira-Server-Data-Center-Template-Injection.html (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

1 : Vendor Advisory (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-69933 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Third Party Advisory (string)

]

url : https://seclists.org/bugtraq/2019/Sep/42 (string)

}

]

sourceIdentifier : security@atlassian.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-94 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object