Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69793

SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

    XMLWordPrintable

Details

    Description

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      Important Note: The patch is deployed in fix versions and later by configuring the Jira URL allow list. N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              45 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: