Jira Security Advisory - 2019-09-18 - CVE-2019-15001 Vulnerability Information CVE ID: CVE-2019-15001 Affected Products: - Jira Server - Jira Data Center Affected Versions Jira Server and Data Center: - 7.0.10 <= version < 7.6.16 - 7.7.0 <= version < 7.13.8 - 8.0.0 <= version < 8.1.3 - 8.2.0 <= version < 8.2.5 - 8.3.0 <= version < 8.3.4 - 8.4.0 <= version < 8.4.1 Fixed Versions 7.6.x: 7.6.16 7.13.x: 7.13.8 8.1.x: 8.1.3 8.2.x: 8.2.5 8.3.x: 8.3.4 8.4.x: 8.4.1 Vulnerability Summary A critical severity server-side template injection vulnerability exists in the Jira Importers Plugin (JIM). An attacker with JIRA Administrators access can exploit this issue to remotely execute code on the affected systems. Severity Critical Description Versions of Jira Server and Data Center starting from 7.0.10 to 7.6.15, 7.7.0 to 7.13.7, 8.0.0 to 8.1.2, 8.2.0 to 8.2.4, 8.3.0 to 8.3.3, and 8.4.0 to 8.4.0 are affected by this vulnerability. Fix Upgrade Jira Server and Data Center to version 8.4.1 or higher. If upgrading is not possible, the advisory provides specific upgrades for each version series. Additional Information Vulnerability Tracker: https://jira.atlassian.com/browse/JRASERVER-69933 Release Notes: https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html Download Center: https://www.atlassian.com/software/jira/download Support: https://support.atlassian.com/