Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-8451Server-Side Request Forgery in Atlassian Jira

CWE-918Server-Side Request Forgery6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
92.8%
top 0.24%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Atlassian JiraAtlassian Jira Server
Timeline
PublishedSep 11
Latest updateMay 24

Description

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

NVDatlassian/jira_server7.6.08.4.0
CVEListV5atlassian/jiraunspecified8.4.0

🔴Vulnerability Details

3
GHSA
GHSA-hp98-w9mh-2g6q: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 82022-05-24
CVEList
CVE-2019-8451: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 82019-09-11
VulnCheck
Atlassian Jira Server and Data Center Server-Side Request Forgery (SSRF)2019

💥Exploits & PoCs

1
Nuclei
Jira <8.4.0 - Server-Side Request Forgery
CVE-2019-8451 — Server-Side Request Forgery | cvebase