Atlassian Jira Server is vulnerable to Server Side Request Forgery (SSRF). The vulnerability affects Jira Core and Jira Software versions 7.6.0 prior to 8.4.0. CVE 2019–8451 has been assigned to track this vulnerability. Thousands of Jira Servers are potentially affected by this vulnerability.
Vulnerability Details:
The vulnerability was found in the Atlassian Jira /plugins/servlet/gadgets/makeRequest resource and that existed because of a logic bug in the JiraWhitelist class. Any unauthenticated remote attacker could have exploited this vulnerability just by sending a specially crafted web request to the vulnerable Jira server. Successful exploitation of this vulnerability may allow a remote attacker the ability to access the content of internal network resources.
Proof of concept:
Mitigation:
Atlassian has addressed this issue in JIRA Security Advisory JRASERVER-69793
Qualys has released a QID 13579-Atlassian JIRA SSRF Vulnerability (JRASERVER-69793) to detect the vulnerable Jira Servers.
Please continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://jira.atlassian.com/browse/JRASERVER-69793