CVE-2019-8451

MEDIUM EXPLOITED NUCLEI

Jira Server 7.6.0-8.3.9 - Server-Side Request Forgery via Gadgets MakeRequest Endpoint

Title source: llm

Exploitation Summary

CVE-2019-8451 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including jas502n, 0xbug, h0ffayyy. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that exploits CVE-2019-8451, an SSRF vulnerability in Jira before version 8.4.0. The script sends a crafted request to the vulnerable endpoint to access internal network resources.

Description

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Exploits (6)

nomisec WORKING POC 31 stars

by jas502n · infoleak

https://github.com/jas502n/CVE-2019-8451

View Code ZIP pw:eip

This repository contains a Python script that exploits CVE-2019-8451, an SSRF vulnerability in Jira before version 8.4.0. The script sends a crafted request to the vulnerable endpoint to access internal network resources.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira before 8.4.0

No auth needed

Prerequisites: Network access to the vulnerable Jira instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by 0xbug · infoleak

https://github.com/0xbug/CVE-2019-8451

View Code ZIP pw:eip

This PoC demonstrates an SSRF vulnerability in Atlassian Jira via the gadgets/makeRequest endpoint, allowing attackers to make arbitrary requests to internal or external resources. The exploit leverages URL manipulation to bypass access controls.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira Server

No auth needed

Prerequisites: Network access to the Jira instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 7 stars

by h0ffayyy · remote

https://github.com/h0ffayyy/Jira-CVE-2019-8451

View Code ZIP pw:eip

This repository contains a Python script to scan for CVE-2019-8451, a pre-authentication SSRF vulnerability in Jira. It checks the version and attempts an SSRF request to determine vulnerability status.

Classification

Scanner 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira versions 7.6.0 to 7.13.8 and 8.0.0 to 8.3.4

No auth needed

Prerequisites: Network access to the target Jira instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by ianxtianxt · remote

https://github.com/ianxtianxt/CVE-2019-8451

View Code ZIP pw:eip

This PoC demonstrates an SSRF vulnerability in Jira by exploiting the `/plugins/servlet/gadgets/makeRequest` endpoint without authentication. It sends a crafted request to an attacker-controlled URL, confirming the vulnerability.

Classification

Working Poc 80%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira (versions affected by CVE-2019-8451)

No auth needed

Prerequisites: Network access to the target Jira instance · Target Jira instance must be vulnerable to CVE-2019-8451

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by iuds · poc

https://github.com/iuds/CVE-2019-8451

View Code ZIP pw:eip

This script exploits CVE-2019-8451, an SSRF vulnerability in Atlassian products, by crafting a malicious request to the Gadgets plugin endpoint. It checks for session leakage indicators like 'set-cookie' and the X-AUSERNAME header in the response.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian products (e.g., Jira, Confluence)

No auth needed

Prerequisites: access to the target Atlassian instance · network connectivity to the SSRF target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec WORKING POC

by b0ul1 · infoleak

https://github.com/b0ul1/CVE-2019-8451

View Code ZIP pw:eip

This script is a proof-of-concept for CVE-2019-8451, an SSRF vulnerability in Atlassian products. It crafts a malicious request to the target URL and checks for indicators of a successful SSRF attack, such as the presence of 'set-cookie' in the response body.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Atlassian products (specific version not specified)

No auth needed

Prerequisites: Access to the target Atlassian instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Jira <8.4.0 - Server-Side Request Forgery

MEDIUMby TechbrunchFR

Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira"

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory x_refsource_confirm

https://jira.atlassian.com/browse/JRASERVER-69793

Scores

CVSS v3 6.5

EPSS 0.9407

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

VulnCheck KEV 2023-12-06

CWE

CWE-918

Status published

Products (1)

atlassian/jira_server 7.6.0 - 8.4.0

Published Sep 11, 2019

Tracked Since Feb 18, 2026