cbcvebase.
CVE-2021-26086
published 2021-08-16

CVE-2021-26086: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the…

PriorityP182medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-12-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

Affected

16 ranges
VendorProductVersion rangeFixed in
atlassianjira_data_center< 8.5.148.5.14
atlassianjira_data_center>= 8.14.0 < unspecifiedunspecified
atlassianjira_data_center>= 8.14.0 < 8.16.18.16.1
atlassianjira_data_center>= 8.6.0 < unspecifiedunspecified
atlassianjira_data_center>= 8.6.0 < 8.13.68.13.6
atlassianjira_data_center>= unspecified < 8.5.148.5.14
atlassianjira_data_center>= unspecified < 8.13.68.13.6
atlassianjira_data_center>= unspecified < 8.16.18.16.1
atlassianjira_server< 8.5.148.5.14
atlassianjira_server>= 8.14.0 < unspecifiedunspecified
atlassianjira_server>= 8.14.0 < 8.16.18.16.1
atlassianjira_server>= 8.6.0 < unspecifiedunspecified
atlassianjira_server>= 8.6.0 < 8.13.68.13.6
atlassianjira_server>= unspecified < 8.5.148.5.14
atlassianjira_server>= unspecified < 8.13.68.13.6
atlassianjira_server>= unspecified < 8.16.18.16.1

Detection & IOCsextracted from sources · hover to see the quote

url/s/cfx/_/;/WEB-INF/web.xml
url/s/cfx/_/;/WEB-INF/classes/seraph-config.xml
url/s/cfx/_/;/WEB-INF/decorators.xml
url/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
url/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
url/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
url/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
path/WEB-INF/web.xml
url{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml
  • Detect exploitation attempts by matching HTTP GET requests with the path pattern /s/<token>/_/;/WEB-INF/ — the semicolon (;) before WEB-INF is the path traversal bypass token characteristic of this CVE.
  • Validate exploitation by checking HTTP 200 responses containing the string '<web-app' in the response body, indicating successful WEB-INF/web.xml file read.
  • Monitor for requests targeting /WEB-INF/classes/seraph-config.xml via the traversal pattern, as this file contains authentication configuration and is a high-value target.
  • Shodan queries 'http.component:"Atlassian Jira"' and 'http.component:"atlassian jira"' can be used to identify exposed Jira instances for proactive asset discovery.
  • ·Affected versions are before 8.5.14, from 8.6.0 before 8.13.6, and from 8.14.0 before 8.16.1. Instances running 8.16.1+, 8.13.6+, or 8.5.14+ are not vulnerable.
  • ·The vulnerability is unauthenticated (PR:N) and network-accessible (AV:N), meaning no credentials are required to exploit it remotely.
  • ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog with a remediation due date of 2024-12-03, indicating active in-the-wild exploitation.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.