The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Important Note: The patch is deployed in fix versions and later by configuring the Jira URL allow list. N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.