Atlassian issued a critical security advisory for several
programs used in conjunction with the company’s Jira server and Data Center
products.

The vulnerability, CVE-2019-11581, affects Jira Software, Jira Core, and Jira Service Desk, however, Jira Cloud customers are not affected. The server-side template injection vulnerability was introduced in version 4.4.0 of Jira Server and Data Center.

The company said for the issue to be exploited either an SMTP server has been configured in Jira and the Contact Administrators Form be enabled; or an SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.

“In the first case, where the Contact Administrators Form is
enabled, attackers are able to exploit this issue without authentication. In
the second case, attackers with “JIRA Administrators” access can
exploit this issue. In either case, successful exploitation of this issue
allows an attacker to remotely execute code on systems that run a vulnerable
version of Jira Server or Data Center,” the alert stated.