Atlassian JIRA Server and Data Center could allow a remote malicious user to execute arbitrary code on the system, caused by a server-side template injection vulnerability in various resources. If an SMTP server has been configured in Jira and the Contact Administrators Form is enabled or the attacker has "JIRA Administrators" access, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Atlassian has patched a critical vulnerability affecting Jira Server and Data Center versions released since the summer of 2011.
An advisory today from enterprise software company Atlassian offers details about a template injection on the server side that could be exploited without authentication under certain conditions.
Tracked as CVE-2019-11581, the vulnerability was introduced in version 4.4.0. It was discovered and reported by Bugcrowd researcher Daniil Dmitriev.