Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72695

Limited Remote File Read in Jira Software Server - CVE-2021-26086

XMLWordPrintable

    • 5.3
    • Medium
    • CVE-2021-26086

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.

       

      The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

       

      Affected versions:

      • version < 8.5.14
      • 8.6.0 ≤ version < 8.13.6
      • 8.14.0 ≤ version < 8.16.1

      Fixed versions:

      • 8.5.14
      • 8.13.6
      • 8.16.1
      • 8.17.0  

      Mitigation

      Until the upgrade you may use the following workaround to protect the files:
      https://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html

      Note: Workaround 1 in the above KB article is not valid for this purpose. Workaround 2 (proxy/load balancer configuration) is valid.

          Form Name

            [JRASERVER-72695] Limited Remote File Read in Jira Software Server - CVE-2021-26086

            salmanairi added a comment -

            Hi

            urlrewrite.xml and apache workarounds didn't work

            could you provide an update ?

            Thanks

            salmanairi added a comment - Hi urlrewrite.xml and apache workarounds didn't work could you provide an update ? Thanks

            tom added a comment -

            @Nathan: Are you sure? IMHO both regexes in Workaround 2 also search for ".." (which is not sufficient for this CVE).

            (as a result of my comment of yesterday, the "Note" was just added to the Mitigation section)

            tom added a comment - @Nathan: Are you sure? IMHO both regexes in Workaround 2 also search for ".." (which is not sufficient for this CVE). (as a result of my comment of yesterday, the "Note" was just added to the Mitigation section)

            tom added a comment -

            Both workarounds in the "Mitigation" linked above simply block URLs containing ".." (typical path traversal). However, if you look at the attacking URLs in CVE-2021-26086, the ".." characters are not contained at all.

            So IMHO Atlassian should

            • either remove the (non-working) mitigation
            • or clearly state how the contained regexes have to be adapted to block this specific attack.

            tom added a comment - Both workarounds in the "Mitigation" linked above simply block URLs containing ".." (typical path traversal). However, if you look at the attacking URLs in CVE-2021-26086, the ".." characters are not contained at all. So IMHO Atlassian should either remove the (non-working) mitigation or clearly state how the contained regexes have to be adapted to block this specific attack.

            Frédéric Esnault added a comment -

            Hi !

            For me, the urlrewrite.xml workaround didn't fix anything (I restarted Jira of course).

            Anything I missed ?

            Frédéric Esnault added a comment - Hi ! For me, the urlrewrite.xml workaround didn't fix anything (I restarted Jira of course). Anything I missed ?

            Sylvain Leduc added a comment -

            Hello

            The mitigation shows this link https://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html but this link says "This workaround fixes CVE-2019-14994 and CVE-2019-15004" and was updated for the last time 'on Jun 22, 2021' while this current JRASERVER-72695 ticket was created/resolved in august 21.

            Could you please update the KB to mention this CVE to be sure it is covered / not a typo ?

            I believe as both mention "path traversal" that it is ok.

            Sylvain Leduc added a comment - Hello The mitigation shows this link https://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html but this link says "This workaround fixes CVE-2019-14994 and CVE-2019-15004" and was updated for the last time 'on Jun 22, 2021' while this current JRASERVER-72695 ticket was created/resolved in august 21. Could you please update the KB to mention this CVE to be sure it is covered / not a typo ? I believe as both mention "path traversal" that it is ok.

            Gaurav Jakharia added a comment -

            Hello,

            Is the vulnerability fix applicable for version : 8.20.0 (Jira Server) apart from mentioned fixed versions :

            Fix Version/s :8.5.148.13.68.16.18.17.0

            Gaurav Jakharia added a comment - Hello, Is the vulnerability fix applicable for version : 8.20.0 (Jira Server) apart from mentioned fixed versions : Fix Version/s : 8.5.14 ,  8.13.6 ,  8.16.1 ,  8.17.0

            Lou-Guardia added a comment - - edited

            I would like to know why this is a Low priority and why it has not been touched for over 2 months. Our security team has this as a high vulnerability.

            Lou-Guardia added a comment - - edited I would like to know why this is a Low priority and why it has not been touched for over 2 months. Our security team has this as a high vulnerability.

            Tarik Kobalas added a comment - - edited

            This vulnerability is also valid on Bamboo Servers (tested with 7.25, 8.0.0, 8.0.1 versions). Will there be a patch for Bamboo? 

            Edit: With the version 7.26 the problem is solved.

            Tarik Kobalas added a comment - - edited This vulnerability is also valid on Bamboo Servers (tested with 7.25, 8.0.0, 8.0.1 versions). Will there be a patch for Bamboo?  Edit: With the version 7.26 the problem is solved.

            . added a comment -

            Also, please advise on a URL filtering rule to mitigate this.

            . added a comment - Also, please advise on a URL filtering rule to mitigate this.

            . added a comment -

            It seems to be possible to read any file under atlassian-jira - is it also possible to read out folders upwards of this folder?

            . added a comment - It seems to be possible to read any file under atlassian-jira - is it also possible to read out folders upwards of this folder?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: