Atlassian has published security advisory CVE-2019-11581 today, 10 July 2019. This advisory is in regards to multiple versions of Jira Server and Data Center. Jira Cloud is not affected. The goal of this article is to help raise awareness for this critical vulnerability and to provide you a means to ask further questions about this in Community if needed.
Atlassian's official recommendation is that all affected Jira instances upgrade to a fixed version as soon as possible.
If you do nothing else, turn off the Contact Administrator's form immediately in Jira. While Jira ships by default with this feature OFF, you can check to make sure it is disabled if you are a Jira administrator by going to
More details on this option in Configuring Jira application options - Atlassian Documentation.
If this option is enabled, and Jira is setup to use an SMTP mail server, it is possible that one avenue of this vulnerability could be exploited by an unauthenticated user in Jira. There are additional mitigation steps below, but these apply to authenticated users that require Jira administrator permission levels to exploit.
7.6.x before 7.6.14 (the fixed version for 7.6.x)
7.13.x before 7.13.5 (the fixed version for 7.13.x)
8.0.x before 8.0.3 (the fixed version for 8.0.x)
8.1.x before 8.1.2 (the fixed version for 8.1.x)
8.2.x before 8.2.3 (the fixed version for 8.2.x)
If you are unable to upgrade Jira immediately, then as a temporary workaround, you can:
SendBulkMailendpoint will prevent Jira Administrators from being able to send bulk emails to users.
After upgrading Jira to a fixed version, you can re-enable the Administrator Contact Form, and unblock the
Community moderators have prevented the ability to post new comments.
Andy HeinzerAtlassian Team
Hello, Atlassian Community! I thought it would be fun to do something different for my teams' last retrospective of 2019 so I'm planning to do a "year in review" with info-graphics. Wha...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events