Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69793

SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

XMLWordPrintable

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      Important Note: The patch is deployed in fix versions and later by configuring the Jira URL allow list. N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.

            [JRASERVER-69793] SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

            Tim Tutten made changes -
            Description Original: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. New: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

            Important Note: The patch is deployed in fix versions and later by configuring the [Jira URL allow list.|https://confluence.atlassian.com/adminjiraserver/configuring-the-allowlist-1014667309.html] N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.
            set-jac-bot made changes -
            Fixed in Enterprise Release/s New: [Download 7.13, 7.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

            M Amine added a comment -

            If we are using a reverse-proxy cann't we just block the URI? It is an urgent matter as some client are not able to upgrade asap. 

            M Amine added a comment - If we are using a reverse-proxy cann't we just block the URI? It is an urgent matter as some client are not able to upgrade asap. 
            kitkat (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 463340 ]
            Said made changes -
            Labels Original: CVE-2019-8451 advisory advisory-released cvss-high li_upgrade security New: CVE-2019-8451 advisory advisory-released cvss-high li_upgrade security ssrf
            Brad Bressler made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 462573 ]
            Brad Bressler made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 461837 ]
            Matt Shelton made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 461553 ]

            John Bartelt added a comment -

            I am really amazed that Atlassian has not released a security announcement on their mailing list or on https://www.atlassian.com/trust/security/advisories

            I really hate first hearing about vulnerabilities from my CISO or a bug-bounty hunter.

            John Bartelt added a comment - I am really amazed that Atlassian has not released a security announcement on their mailing list or on https://www.atlassian.com/trust/security/advisories I really hate first hearing about vulnerabilities from my CISO or a bug-bounty hunter.
            Przemyslaw Czuj made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 457121 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              46 Start watching this issue

                Created:
                Updated:
                Resolved: