id: CVE-2019-11581

info:
  name: Atlassian Jira Server-Side Template Injection
  author: ree4pwn
  severity: critical
  description: Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution, compromising the confidentiality, integrity, and availability of the affected system.
  remediation: |
    Apply the necessary security patches or upgrade to a fixed version provided by Atlassian to mitigate this vulnerability.
  reference:
    - https://github.com/jas502n/CVE-2019-11581
    - https://jira.atlassian.com/browse/JRASERVER-69532
    - https://nvd.nist.gov/vuln/detail/CVE-2019-11581
    - https://github.com/0x48piraj/jiraffe
    - https://github.com/bakery312/Vulhub-Reproduce
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-11581
    cwe-id: CWE-74
    epss-score: 0.97379
    epss-percentile: 0.99897
    cpe: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: jira
    shodan-query: http.component:"Atlassian Jira"
  tags: cve,cve2019,atlassian,jira,ssti,rce,kev

http:
  - method: GET
    path:
      - "{{BaseURL}}/secure/ContactAdministrators!default.jspa"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Contact Site Administrators"

      - type: word
        part: body
        negative: true
        words:
          - "has not yet configured this contact form"

      - type: regex
        part: body
        regex:
          - "\\(v4\\.4\\."
          - "\\(v5\\."
          - "\\(v6\\."
          - "\\(v7\\.[012345789]\\."
          - "\\(v7\\.1[0-2]\\."
          - "\\(v7\\.6\\.([0-9]|[1][0-3])"
          - "\\(v7\\.\\13\\.[0-4]"
          - "\\(v8\\.0\\.[0-2]"
          - "\\(v8\\.1\\.[0-1]"
          - "\\(v8\\.2\\.[0-2]"
        condition: or
# digest: 4a0a00473045022100b8e0de54aed749444c2182e9e8df595b8e8f1a50ba0d84fee8f9f6208dada7b102201a3f6e5736aacbacc91733a76b2fcb238b12a3bec104a4dcffd701f184768a00:922c64590222798bb761d5b6d8e72950