[JRASERVER-69793] SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.4.0, 7.6.17, 7.13.9
Affects Version/s: 7.6.9, 8.1.0, 8.0.2
Component/s: Dashboard & Gadgets
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 7.6
Introduced in Version:
7.06
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Important Note: The patch is deployed in fix versions and later by configuring the Jira URL allow list. N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.

Mentioned in

CSS Top Asks - Jira On Prem: JRASERVER-69793 | SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...

(2 mentioned in)

Tim Tutten made changes - 26/Mar/2024 2:17 PM

Description

Original: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

New: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Important Note: The patch is deployed in fix versions and later by configuring the [Jira URL allow list.|https://confluence.atlassian.com/adminjiraserver/configuring-the-allowlist-1014667309.html] N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.

set-jac-bot made changes - 22/May/2020 8:27 AM

Fixed in Enterprise Release/s

New: [Download 7.13, 7.6|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

kitkat (Inactive) made changes - 12/Dec/2019 4:55 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 463340 ]

Said made changes - 10/Dec/2019 2:42 AM

Labels

Original: CVE-2019-8451 advisory advisory-released cvss-high li_upgrade security

New: CVE-2019-8451 advisory advisory-released cvss-high li_upgrade security ssrf

Brad Bressler made changes - 09/Dec/2019 5:27 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 462573 ]

Brad Bressler made changes - 03/Dec/2019 4:00 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 461837 ]

Matt Shelton made changes - 02/Dec/2019 11:36 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 461553 ]

Przemyslaw Czuj made changes - 28/Oct/2019 9:01 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 457121 ]

Mateusz Walas (Inactive) made changes - 17/Oct/2019 8:19 AM

Fix Version/s

New: 7.6.17 [ 89490 ]

Bastiaan Jansen (Inactive) made changes - 16/Oct/2019 8:45 AM

Remote Link

New: This issue links to "CSS Top Asks - Jira On Prem: ~~JRASERVER-69793~~ | SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451 (Trello)" [ 455713 ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 46 Start watching this issue

Created:: 12/Aug/2019 2:44 AM

Updated:: 26/Mar/2024 2:17 PM

Resolved:: 12/Aug/2019 2:45 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-69793] SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

People

Dates