cbcvebase.
CVE-2019-8451
published 2019-09-11

CVE-2019-8451: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via…

PriorityP279medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.45%
99.8th percentile
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Affected

2 ranges
VendorProductVersion rangeFixed in
atlassianjira>= unspecified < 8.4.08.4.0
atlassianjira_server>= 7.6.0 < 8.4.08.4.0

Detection & IOCsextracted from sources · hover to see the quote

path/plugins/servlet/gadgets/makeRequest
commandurl=https://{{Host}}:443@{{interactsh-url}}
commandPOST /plugins/servlet/gadgets/makeRequest
urlhttp://vulnerablehost.com/plugins/servlet/gadgets/makeRequest?url=http://vulnerablehost.com@http://targethost.com
urlhttp://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
  • The SSRF bypass uses an '@' symbol in the URL parameter to circumvent the JiraWhitelist allowlist validation — monitor POST requests to /plugins/servlet/gadgets/makeRequest where the 'url' body parameter contains an '@' character separating a trusted host from an attacker-controlled target.
  • The exploit requires the HTTP header 'X-Atlassian-Token: no-check' and Content-Type 'application/x-www-form-urlencoded' in the POST request — alert on POST requests to the makeRequest endpoint carrying this header combination.
  • The vulnerability is pre-authentication (no credentials required); any unauthenticated POST to /plugins/servlet/gadgets/makeRequest with a crafted 'url' parameter should be treated as a potential exploitation attempt.
  • Detect outbound HTTP requests from the Jira server to the cloud metadata IP 169.254.169.254, which indicates successful SSRF exploitation targeting cloud infrastructure credentials.
  • Use out-of-band (OAST/interactsh) DNS/HTTP interaction detection to confirm exploitation, as the vulnerability triggers an outbound HTTP request to the attacker-controlled URL embedded after the '@' in the url parameter.
  • Shodan queries 'http.component:"Atlassian Jira"' can be used to identify internet-exposed Jira instances for attack surface enumeration; defenders should verify their Jira instances are not indexed with pre-8.4.0 version banners.
  • ·Affected versions are broader than the official advisory states. NVD lists the vulnerability as introduced in v7.6.0 (November 2017), but Unit 42 research found it actually affects versions back to v4.3 (March 2011).
  • ·Microsoft Azure's metadata API enforces a required 'Metadata: True' header, which effectively blocks SSRF-based metadata exfiltration since attackers cannot control headers in redirected requests. GCP legacy metadata API endpoints (v0.1 and v1beta1) remain accessible even when v1 header enforcement is enabled.
  • ·The Jira 7.x branch did not appear to contain a fix for the flaw at the time of disclosure; only upgrading to 8.4.0 or later is confirmed to remediate the vulnerability.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.