A vulnerability (CVE-2021-26086) exists in specific versions of Atlassian Jira Server and Data Center, which could allow remote attackers to read sensitive files on the server. This vulnerability impacts the confidentiality of the affected systems, potentially exposing sensitive configuration details.
| Product | Atlassian-JIRA |
| Date | 2024-11-13 09:09:29 |
| Information |
|
Technical Summary
Vulnerable versions of Atlassian Jira Server and Data Center are susceptible to a path traversal vulnerability in the /WEB-INF/web.xml endpoint. An attacker can exploit this flaw by sending specially crafted requests, allowing unauthorized access to files on the server. This issue can lead to the disclosure of sensitive information, including configuration files, which could contain details useful for further exploits or reconnaissance activities.
Affected versions:
- Versions prior to 8.5.14
- From 8.6.0 to 8.13.5
- From 8.14.0 to 8.16.0
Fixed versions:
- 8.5.14
- 8.13.6
- 8.16.1
- 8.17.0
Recommendations
To mitigate the risk associated with CVE-2021-26086, it is recommended to update Atlassian Jira Server and Data Center to one of the fixed versions (8.5.14, 8.13.6, 8.16.1, or 8.17.0). If an immediate update is not possible, it is recommended to implement the following workaround:
- Proxy configuration: use a proxy or load balancer to block access to the
/WEB-INF/web.xmlendpoint.
Note: The temporary solution described in the Atlassian KB article applies, but only the second workaround (proxy or load balancer configuration) is valid for this vulnerability.
[Callforaction-THREAT-Footer]
