This article will talk about a critical vulnerability affecting Jira application which was discovered on 08/09/2019
and how to exploit it. The exploitation is built through a scenario that shows the criticality of the vulnerability on the entire organization.The Vulnerability
As the article
described, the functions "Bulk Email Send" and "Contact Admin" were affected by server-side template injection. The "Bulk Email Send" needs admin privileges on Jira to be exploited, making it a privilege escalation vulnerability that enables Jira admins to run OS commands as SYSTEM (if running on Windows). The "Contact Admin", however, can be exploited by unauthenticated users to run OS commands as SYSTEM as well. This functionality needs to be enabled, however, as it is not enabled with the default installation of Jira, and it requires configuring an SMTP server.
After configuring the SMTP server and enabling the "Contact Admin" feature, the affected form can be accessible on this URL: