CVE-2019-8451
published 2019-09-11CVE-2019-8451: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via…
PriorityP279medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.45%
99.8th percentile
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira | >= unspecified < 8.4.0 | 8.4.0 |
| atlassian | jira_server | >= 7.6.0 < 8.4.0 | 8.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://vulnerablehost.com/plugins/servlet/gadgets/makeRequest?url=http://vulnerablehost.com@http://targethost.com↗
- →The SSRF bypass uses an '@' symbol in the URL parameter to circumvent the JiraWhitelist allowlist validation — monitor POST requests to /plugins/servlet/gadgets/makeRequest where the 'url' body parameter contains an '@' character separating a trusted host from an attacker-controlled target. ↗
- →The exploit requires the HTTP header 'X-Atlassian-Token: no-check' and Content-Type 'application/x-www-form-urlencoded' in the POST request — alert on POST requests to the makeRequest endpoint carrying this header combination. ↗
- →The vulnerability is pre-authentication (no credentials required); any unauthenticated POST to /plugins/servlet/gadgets/makeRequest with a crafted 'url' parameter should be treated as a potential exploitation attempt. ↗
- →Detect outbound HTTP requests from the Jira server to the cloud metadata IP 169.254.169.254, which indicates successful SSRF exploitation targeting cloud infrastructure credentials. ↗
- →Use out-of-band (OAST/interactsh) DNS/HTTP interaction detection to confirm exploitation, as the vulnerability triggers an outbound HTTP request to the attacker-controlled URL embedded after the '@' in the url parameter. ↗
- →Shodan queries 'http.component:"Atlassian Jira"' can be used to identify internet-exposed Jira instances for attack surface enumeration; defenders should verify their Jira instances are not indexed with pre-8.4.0 version banners. ↗
- ·Affected versions are broader than the official advisory states. NVD lists the vulnerability as introduced in v7.6.0 (November 2017), but Unit 42 research found it actually affects versions back to v4.3 (March 2011). ↗
- ·Microsoft Azure's metadata API enforces a required 'Metadata: True' header, which effectively blocks SSRF-based metadata exfiltration since attackers cannot control headers in redirected requests. GCP legacy metadata API endpoints (v0.1 and v1beta1) remain accessible even when v1 header enforcement is enabled. ↗
- ·The Jira 7.x branch did not appear to contain a fix for the flaw at the time of disclosure; only upgrading to 8.4.0 or later is confirmed to remediate the vulnerability. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hp98-w9mh-2g6q: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8
ghsa_unreviewed·2022-05-24
CVE-2019-8451 [MEDIUM] CWE-918 GHSA-hp98-w9mh-2g6q: The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
VulnCheck
Atlassian Jira Server and Data Center Server-Side Request Forgery (SSRF)
vulncheck·2019·CVSS 6.5
CVE-2019-8451 [MEDIUM] Atlassian Jira Server and Data Center Server-Side Request Forgery (SSRF)
Atlassian Jira Server and Data Center Server-Side Request Forgery (SSRF)
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Affected: Atlassian Jira Server and Data Center
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-06&host_type=src&vulnerability=cve-2019-8451; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vu
No detection rules found.
Nuclei
Jira <8.4.0 - Server-Side Request Forgery
nuclei·CVSS 6.5
CVE-2019-8451 [MEDIUM] Jira <8.4.0 - Server-Side Request Forgery
Jira <8.4.0 - Server-Side Request Forgery
Jira before 8.4.0 is susceptible to server-side request forgery. The /plugins/servlet/gadgets/makeRequest resource contains a logic bug in the JiraWhitelist class, which can allow an attacker to access the content of internal network resources and thus modify data, and/or execute unauthorized operations.
Template:
id: CVE-2019-8451
info:
name: Jira <8.4.0 - Server-Side Request Forgery
author: TechbrunchFR
severity: medium
description: Jira before 8.4.0 is susceptible to server-side request forgery. The /plugins/servlet/gadgets/makeRequest resource contains a logic bug in the JiraWhitelist class, which can allow an attacker to access the content of internal network resources and thus modify data, and/or execute unauthorized operations.
impact: |
Qualys
Identify Server-Side Attacks Using Qualys Periscope | Qualys
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope | Qualys
#### Table of Contents
- Potential False Positives
- Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
- QID 150055 – OS Command Injection
- QID 150179 – Blind XXE injection
Qualys
Identify Server-Side Attacks Using Qualys Periscope
blogs_qualys·2022-12-01·CVSS 8.8
[HIGH] Identify Server-Side Attacks Using Qualys Periscope
## Table of Contents
Potential False Positives
Potential False Negatives
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope . This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
QID 150055 – OS Command Injection
QID 150179 – Blind XXE injection
QID 15
Qualys
Introducing Periscope: Out-of-Band Vulnerability Detection Mechanism in Qualys WAS | Qualys
blogs_qualys·2020-01-15
Introducing Periscope: Out-of-Band Vulnerability Detection Mechanism in Qualys WAS | Qualys
#### Table of Contents
- What is Qualys Periscope?
- How does Qualys Periscope work?
- New Insight to Reduce Risk
- Availability
Web applications and REST APIs can be susceptible to a certain class of vulnerabilities that can’t be detected by a traditional HTTP request-response interaction. These out-of-band vulnerabilities are challenging to find but provide a way for attackers to target otherwise inaccessible, internal systems. An attacker can potentially use this to their advantage.
An example from 2019 was a much-publicized data breach against a large U.S. bank, where a key component to the attack was exploitation of a server-side request forgery (SSRF) vulnerability. With SSRF, a vulnerable application (or API) is essentially used as a proxy for an attack against an internal applic
Qualys
Introducing Periscope: Out-of-Band Vulnerability Detection Mechanism in Qualys WAS
blogs_qualys·2020-01-15
Introducing Periscope: Out-of-Band Vulnerability Detection Mechanism in Qualys WAS
## Table of Contents
What is Qualys Periscope?
How does Qualys Periscope work?
New Insight to Reduce Risk
Availability
Web applications and REST APIs can be susceptible to a certain class of vulnerabilities that can’t be detected by a traditional HTTP request-response interaction. These out-of-band vulnerabilities are challenging to find but provide a way for attackers to target otherwise inaccessible, internal systems. An attacker can potentially use this to their advantage.
An example from 2019 was a much-publicized data breach against a large U.S. bank, where a key component to the attack was exploitation of a server-side request forgery (SSRF) vulnerability. With SSRF, a vulnerable application (or API) is essentially used as a proxy for an attack against an internal application,
Unit42
Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
blogs_unit42·2019-11-26·CVSS 6.5
[MEDIUM] Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
### Executive Summary
Server-Side Request Forgery (SSRF) is a web application vulnerability that redirects the attacker's requests to the internal network or localhost behind the firewall. SSRF poses a particular threat to cloud services due to the use of the metadata API that allows applications to access the underlying cloud infrastructure's information such as configurations, logs, and credentials. Although the metadata API can only be accessed locally, the SSRF vulnerability makes it accessible from the internet. This type of vulnerability also bypasses the container sandbox protection. SSRF opens the door for internal network reconnaissance, lateral movement, and even remote code execution.
An application in a container, by default, can directly access the metadata API on its host,
Unit42
Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
blogs_unit42·2019-11-26·CVSS 6.5
[MEDIUM] Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
Jay Chen
Published: November 26, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Container
Jira
Kubernetes
Metadata API
Misconfiguration
Public cloud
Server-Side Request Forgery
SSRF
## Executive Summary
Server-Side Request Forgery (SSRF) is a web application vulnerability that redirects the attacker's requests to the internal network or localhost behind the firewall. SSRF poses a particular threat to cloud services due to the use of the metadata API that allows applications to access the underlying cloud infrastructure's information such as configurations, logs, and credentials. Although th
Tenable
CVE-2019-8451: Proof-of-Concept Available for Server Side Request Forgery (SSRF) Vulnerability in Jira
blogs_tenable·2019-09-25·CVSS 6.5
[MEDIUM] CVE-2019-8451: Proof-of-Concept Available for Server Side Request Forgery (SSRF) Vulnerability in Jira
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
2019-09-11
Published
Exploited in the wild