Jira Software Server CVE-2021-26086 Vulnerability Actively Exploited in the Wild

Jira released an advisory about the newly identified path traversal and read file vulnerability, CVE-2021-26086, in the Jira Software Server. Threat actors could exploit this vulnerability to poison the server logs, thereby causing remote code execution and/ or exfiltration of sensitive files and information.
Updated on
April 19, 2023
Published on
October 8, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

Category

Vulnerability Intelligence

Vulnerability Class

Path Traversal and Read File Vulnerability

CVE ID

CVE-2021-26086

CVSS:3.0 Score

5.3

CVSS Severity

Medium

TLP#

GREEN

Reference

#https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • Jira released an advisory[ 1 ] about the newly identified path traversal and read file vulnerability, CVE-2021-26086, in the Jira Software Server.
  • Jira Software is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management.
  • This vulnerability is being actively exploited in the wild and has affected multiple versions of the software.
  • Atlassian has released a patch for CVE-2021-26086 in their latest versions of the Jira software including versions 8.5.14, 8.13.6, 8.16.1, and 8.17.0.
  • Threat actors could exploit this vulnerability to poison the server logs, thereby causing remote code execution and/ or exfiltration of sensitive files and information.

Analysis

  • Jira Atlassian is one of the most popular ticketing tools used by organizations around the world. The vulnerability, CVE-2021-26086, is present in the following versions of Atlassian Jira Server and Data Center:
    • All versions below 8.5.14
    • All versions from 8.6.0 and before 8.13.6
    • All versions from 8.14.0 and before 8.16.1
  • This vulnerability allows a remote attacker to read all files via a path traversal vulnerability in the /WEB-INF/ and /META-INF/ directories.
  • The ease of exploitation of this flaw is alarming as a simple GET request to the above-mentioned endpoint would result in file inclusion.
  • Successful exploitation would result in full disclosure of sensitive logging files and configuration settings. [ 2 ]

Proof of Concept (POC)

The Proof of Concept (POC)[ 3 ] for this vulnerability involves sending a GET request to the /META-INF/ endpoint to retrieve sensitive information. The code used for this request is: GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 The execution of this code segment is shown in the image below along with the endpoint being used.   [caption id="attachment_18038" align="alignnone" width="935"]Screenshot of the Proof of Concept Screenshot of the Proof of Concept[/caption]  

Impact & Mitigation


 

Impact

Mitigation

  • A remote attacker can read files and sensitive logging information which is available in META-INF or WEB-INF directory.
  • META-INF directory contains logging information and advanced configuration settings which can be read by the attacker.
  • A remote attacker can leverage that information to chain the attack and increase the attack surface.
  • This vulnerability can be leveraged to conduct an RCE (Remote code execution) attack by poisoning the logs on the server.
  • RCE allows attackers to take control of target systems and even execute ransomware on them.
  • Initial access to a corporate endpoint may potentially enable lateral movement across the internal network.
  • Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
  • Immediately update the Jira Software to any of the following patched versions:
  • 8.5.14
  • 8.13.6
  • 8.16.1
  • 8.17.0  

References

  1. JIRA SERVER Advisory
  2. Important Directories and Files - Jira Server
  3. POC by PacketStorm

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations