Attacker Value
Moderate
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2019-8451

Disclosure Date: September 11, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Add Assessment

5
Ratings
Technical Analysis

Fairly easy to exploit, but I wasn’t able to do more than send requests from the victim server. May be useful for an attacker to recon internal infrastructure.

My POC can be seen here: https://github.com/h0ffayyy/Jira-CVE-2019-8451

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
2.5
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • atlassian

Products

  • jira server

Additional Info

Technical Analysis