• Creation
  • Validation
  • Communication & fix
  • Disclosure

Alcatel-lucent / Jira vulnerable to CVE-2021-26086

zythop reported 2021-10-12

The instance has been found vulnerable to CVE-2021-26086. And this allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. More info here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26086

The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

To fix this, you should update to the most recent version.

IP:
213.39.19.123
Port:
443
Detected protocol:
https
Found pom.properties through CVE-2021-26086:
#Generated by Maven
#Mon Nov 23 12:46:07 UTC 2020
version=8.14.0
groupId=com.atlassian.jira
artifactId=jira-webapp-dist
Found by JiraPlugin 2021-10-12
IP:
213.39.19.123
Port:
443
Detected protocol:
https
Found pom.properties through CVE-2021-26086:
#Generated by Maven
#Mon Nov 23 12:46:07 UTC 2020
version=8.14.0
groupId=com.atlassian.jira
artifactId=jira-webapp-dist
Found by JiraPlugin 2021-11-30
IP:
213.39.19.123
Port:
443
Detected protocol:
https
Found pom.properties through CVE-2021-26086:
#Generated by Maven
#Mon Nov 23 12:46:07 UTC 2020
version=8.14.0
groupId=com.atlassian.jira
artifactId=jira-webapp-dist
Found by JiraPlugin 2021-12-01
Report created by zythop  2021-10-12
zythop commented 2021-10-12: approved doesn't show in report

same here : jira-qa.app.ale-international.com

Report approved by BloodyShell  2021-10-12
New PDF report generated by system 2021-10-12
Report dispatched to ...@... by system 2021-10-12
Report dispatched to ...@... by system 2021-10-12
Report comment dispatched to BloodyShell by system 2021-10-21
Report comment dispatched to iampritam by system 2021-10-21
Report comment dispatched to fokoil by system 2021-10-21
system commented 2022-01-05: approved shows in report

bip! I'm a LeakIX probe.

This issue looks like it has been resolved!

New PDF report generated by system 2022-01-05
Report comment dispatched to zythop by system 2022-01-05
Report comment dispatched to dataprivacy@al-enterprise.com by system 2022-01-05
Report comment dispatched to cert-fr.cossi@ssi.gouv.fr by system 2022-01-05
Report marked as fixed by BloodyShell  2022-01-05
Report closed by BloodyShell  2022-01-05
New PDF report generated by system 2022-01-05
Report edited by zythop  2022-01-05
New PDF report generated by system 2022-01-05
Information
Owner Alcatel-lucent
Created 2021-10-12 17:46
Updated 2022-01-05 18:44
Fixed true

Contacts
d...@al-enterprise.com
c...@ssi.gouv.fr

Status
Status closed
Hosting contacted false
CERT contacted false

Download report