cbcvebase.
CVE-2020-29453
published 2021-02-22

CVE-2020-29453: The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0…

PriorityP354medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
23.09%
97.5th percentile
The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Affected

16 ranges
VendorProductVersion rangeFixed in
atlassiandata_center>= 8.5.10 < 8.5.118.5.11
atlassiandata_center>= 8.6.0 < 8.13.38.13.3
atlassianjira_data_center>= 8.14.0 < unspecifiedunspecified
atlassianjira_data_center>= 8.14.0 < 8.15.08.15.0
atlassianjira_data_center>= 8.6.0 < unspecifiedunspecified
atlassianjira_data_center>= unspecified < 8.5.118.5.11
atlassianjira_data_center>= unspecified < 8.13.38.13.3
atlassianjira_data_center>= unspecified < 8.15.08.15.0
atlassianjira_server>= 8.14.0 < unspecifiedunspecified
atlassianjira_server>= 8.14.0 < 8.15.08.15.0
atlassianjira_server>= 8.5.10 < 8.5.118.5.11
atlassianjira_server>= 8.6.0 < unspecifiedunspecified
atlassianjira_server>= 8.6.0 < 8.13.38.13.3
atlassianjira_server>= unspecified < 8.5.118.5.11
atlassianjira_server>= unspecified < 8.13.38.13.3
atlassianjira_server>= unspecified < 8.15.08.15.0

Detection & IOCsextracted from sources · hover to see the quote

url/s/{{randstr}}/_/%2e/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml
url/s/{{randstr}}/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
path/s/<randstr>/_/%2e/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml
path/s/<randstr>/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
  • Detect CVE-2020-29453 exploitation attempts by matching HTTP GET requests to Jira paths containing the pattern /s/<token>/_/%2e/ followed by WEB-INF or META-INF directory traversal segments.
  • A successful exploitation response will return HTTP 200 with the string 'com.atlassian.jira' in the body (from the retrieved pom.xml file).
  • Use Shodan queries 'http.component:"Atlassian Jira"' or 'http.component:"atlassian jira"' to identify internet-exposed Jira instances potentially vulnerable to this CVE.
  • The attack is unauthenticated (pre-auth), requires no user interaction, and exploits an incorrect path access check in the CachingResourceDownloadRewriteRule class to read files in WEB-INF and META-INF directories.
  • ·Affected versions are Jira Server and Jira Data Center before 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0. Detections should be scoped to these version ranges to reduce false positives.
  • ·The Nuclei template uses a random string token in the URL path ({{randstr}}), so network-level signatures must account for variable path segments between /s/ and /_/%2e/.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.