CRZ-006

Jira Server 7.12.3 (2018 EOL) — multiple unauth RCE CVEs

critical CVSS 3.1: 9.8 · Asset: jira.corezoid.com

Exploitability assessment (2026-04-26 testing)

CVE Exploitable on this instance? Evidence
CVE-2019-11581 (unauth RCE via ContactAdmin) NO ContactAdministrators form is disabled ("Your Jira administrator has not yet configured this contact form"), though ajs-outgoing-mail-enabled: true confirms SMTP is present. The form-disabled flag breaks the primary anonymous vector.
CVE-2019-11581 (auth RCE via SendBulkMail) Likely YES Any admin account can trigger template injection via the SendBulkMail form. With user enumeration + weak auth on this old version, escalation to admin is plausible.
CVE-2020-36239 (Ehcache RMI RCE) NO All RMI ports (40001/40011/40021/40031/40051/40061/40071) are filtered at the network layer.
CVE-2022-0540 (Seraph auth bypass) Depends on plugins Affects specific Atlassian plugins (Insight, Mobile, Questions for Confluence). Plugin inventory not yet obtained.
CVE-2019-8451 (SSRF via makeRequest) NO (probably) /plugins/servlet/gadgets/makeRequest returned 404. Plugin may be removed.
CVE-2019-8442 / 8449 (path traversal / user enum) YES (info disclosure only) Version susceptible; anonymous user search endpoint is reachable.
Version disclosure via /rest/api/2/serverInfo CONFIRMED Anonymous request leaks full version and build info.

Even though the "easiest" CVE-2019-11581 vector is disabled by form config, the Jira is still a loaded gun — any of the following scenarios turns a non-critical finding into active exploitation:

  1. An admin re-enables the ContactAdministrators form → immediate unauth RCE
  2. A plugin update or config change opens one of the Ehcache ports
  3. A new CVE is discovered for a version that will never receive a patch (Jira Server EOL Feb 2024)
  4. Any admin's credentials leak (password reuse, phishing) → authenticated RCE via SendBulkMail
  5. Atlassian plugins with unfixed CVEs are installed

Summary

jira.corezoid.com is running Atlassian Jira Server 7.12.3 built 2018-10-12 (build 712004). This version is ~7.5 years old at the time of this report (2026-04-26) and is affected by multiple publicly-known remote code execution and authentication bypass CVEs. Atlassian Jira Server reached end-of-life in February 2024; no security updates are being issued for any 7.x version.

The version was disclosed via the unauthenticated /rest/api/2/serverInfo endpoint.

Reproduction

Step 1 — version disclosure (unauthenticated):

$ curl -sk 'https://jira.corezoid.com/rest/api/2/serverInfo'
{
  "baseUrl":"https://jira.corezoid.com",
  "version":"7.12.3",
  "versionNumbers":[7,12,3],
  "deploymentType":"Server",
  "buildNumber":712004,
  "buildDate":"2018-10-12T00:00:00.000+0000",
  "scmInfo":"5ef91d760d7124da5ebec5c16a948a4a807698df",
  "serverTitle":"Middleware JIRA"
}

Step 2 — HTML meta tag also leaks build:

$ curl -sk 'https://jira.corezoid.com/login.jsp' | grep ajs-build-number
<meta name="ajs-build-number" content="712004">

Applicable CVEs (non-exhaustive)

Per the Atlassian security advisories and NVD:

CVE CVSS Type Affects 7.12.3?
CVE-2019-11581 9.8 Unauthenticated RCE via server-side template injection in ContactAdministrators + SendBulkMail YES (affects 4.4.0–7.6.13, 7.7.0–7.12.x, 7.13.0–7.13.5)
CVE-2020-36239 9.8 Unauthenticated RCE via exposed Ehcache RMI port YES (affects 6.3.0 → 8.5.15, 8.6.0 → 8.13.7, 8.14.0 → 8.17.0)
CVE-2019-8442 5.3 Path traversal in metadata YES (affects <7.13.1, <8.0.3)
CVE-2019-8449 5.3 Auth bypass — user enumeration YES (affects <8.4.0)
CVE-2019-8451 8.6 SSRF in /plugins/servlet/gadgets/makeRequest YES (affects <8.4.0)
CVE-2019-14994 6.5 Path traversal YES
CVE-2020-14181 5.3 User enumeration YES
CVE-2020-36287 6.1 XSS YES
CVE-2021-26086 5.3 Path traversal → sensitive file read YES
CVE-2021-39115 5.3 XSS YES
CVE-2022-0540 9.8 Auth bypass in Seraph YES (affects multiple <8.22.6)

Bottom line: A version this old accumulates dozens of CVEs. CVE-2019-11581 alone is sufficient to fully compromise the server with no authentication required.

PoC (NOT executed — RoE violation)

CVE-2019-11581 works by injecting a Velocity template into the Contact Administrators form. Minimal PoC outline:

# DO NOT RUN — this would achieve RCE and is outside RoE.
# Provided here for remediation urgency context only.
curl -sk 'https://jira.corezoid.com/secure/ContactAdministrators!default.jspa'
# [then POST a Velocity template payload into the form]

Evidence

Impact

Remediation

Priority 1 — immediate:

  1. Take jira.corezoid.com offline until patched, OR restrict access to VPN-only CIDRs.
  2. Upgrade to Jira Data Center 10.x (latest supported) — note that Jira Server is EOL since Feb 2024, so a migration to Data Center or Cloud is mandatory, not just a patch.
  3. Audit Jira access logs for the last 7.5 years for any evidence of exploitation — CVE-2019-11581 was actively exploited in the wild since mid-2019.
  4. Rotate every credential that was ever pasted into a Jira ticket, comment, or wiki (Slack integration token, SSH key, DB password, etc.) — assume compromise until proven otherwise.
  5. Rotate every API token issued by this Jira instance.

Priority 2 — hardening after migration:

  1. Block Ehcache RMI port (40001, 40011, 40021, 40031, 40051) at network layer (CVE-2020-36239).
  2. Require mTLS or SSO for Jira access.
  3. Move to a regularly-patched Jira Cloud unless there's a compelling on-prem requirement.

References