The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.
Recent assessments:
h0ffayyy at September 26, 2020 6:29pm UTC reported:
Fairly easy to exploit, but I wasn’t able to do more than send requests from the victim server. May be useful for an attacker to recon internal infrastructure.
My POC can be seen here: <https://github.com/h0ffayyy/Jira-CVE-2019-8451>
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4