CVE-2019-8451: Availability of Proof-of-Concept for Server Side Request Forgery (SSRF) in Jira

On September 23, a tweet surfaced from security researcher Henry Chen, showing exploitation of a vulnerability in Atlassian’s Jira that was patched earlier in the month. It was preceded by the first proof-of-concept (PoC) code on September 16. On September 9, Atlassian released Jira Core and Jira Software version 8.4.0 to address several bugs including a security issue identified as CVE-2019-8451.

A retweet from the head of security for Square’s CashApp included a warning for those “running JIRA on AWS” should view the “SSRF” as a “RCE” (Remote Code Execution) flaw.

For more information about the vulnerability, including the impact to cloud hosted versions, and the lack of a patch available for the Jira 7.x release branch, please visit our blog.