Workaround for CVE-2019-15001

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "Jira Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

Affected Versions

  • 7.0.10 to 7.6.15

  • 7.7.0 to 7.13.7

  • 8.1.0 to 8.1.2

  • 8.2.0 to 8.2.4

  • 8.3.0 to 8.3.3

  • 8.4.0

Resolution

We have released the following versions of Jira Server & Jira Data Center to address this issue:

  1. 8.4.1 which is available for download from https://www.atlassian.com/software/jira/download

  2. 8.3.4 which is available for download from https://www.atlassian.com/software/jira/update

  3. 8.2.5 which is available for download from https://www.atlassian.com/software/jira/update

  4. 8.1.3 which is available for download from https://www.atlassian.com/software/jira/update

  5. 7.13.8 which is available for download from https://www.atlassian.com/software/jira/update

  6. 7.6.16 which is available for download from https://www.atlassian.com/software/jira/update

Upgrading Jira

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Server & Jira Data Center, see the release notes. You can download the latest version of Jira Server & Jira Data Center from the download center.

Workaround

Workaround 1 - Tomcat (requires restart)

Block the endpoint from being accessed directly in the Tomcat configuration files, only for the PUT method:

  1. Shut down the application, and backup your $application-install/atlassian-jira/WEB-INF/web.xml file

  2. Add the following block inside the <web-app> element:

    1 2 3 4 5 6 7 <security-constraint> <web-resource-collection> <url-pattern>/rest/jira-importers-plugin/1.0/demo/create</url-pattern> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint /> </security-constraint>

  3. Re-start the Jira application

  4. If you try to send a PUT request to the end point <Jira_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA, will return a 403 error with Jira HTML page stating that "Access to the requested resource has been denied"

Workaround 2 - Proxy

Block the endpoint from being accessed on the proxy server side, only for the PUT method (Tested on Apache HTTPD):

  1. Open the virtual host configuration

  2. Add the following inside the virtual host to block the endpoint /rest/jira-importers-plugin/1.0/demo/create

    1 2 3 4 5 <LocationMatch "/rest/jira-importers-plugin/1.0/demo/create"> <LimitExcept GET DELETE POST> Deny from all </LimitExcept> </LocationMatch>

  3. Ensure all connectors pass through the proxy

  4. Restart Apache

ℹ️ Example Virtual Host :

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <VirtualHost *:80> ServerName atlassian.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> <LocationMatch "/rest/jira-importers-plugin/1.0/demo/create"> <LimitExcept GET DELETE POST> Deny from all </LimitExcept> </LocationMatch> ProxyPass /jira http://localhost:8080/jira ProxyPassReverse /jira http://localhost:8080/jira </VirtualHost>
Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageProblemAffected VersionsResolutionWorkaround

Still need help?

The Atlassian Community is here for you.
Ask the Community