Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-71204

SSRF in Dashboard & Gadgets - CVE-2019-20408

    XMLWordPrintable

    Details

      Description

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      As an example to indicate impact, when running the vulnerable version of Jira in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.

      Affected versions:

      • version < 8.7.0

      Fixed versions:

      • 8.7.0

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: