Rule History

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17;)