CVE-2021-26086

MEDIUM KEV NUCLEI

Atlassian Jira Data Center < 8.5.14 - Path Traversal

Title source: rule

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

Exploits (4)

exploitdb WORKING POC

by Mayank Deshmukh · textwebappsmultiple

https://www.exploit-db.com/exploits/50380

View Code ZIP pw:eip

nomisec WORKING POC 25 stars

by ColdFusionX · poc

https://github.com/ColdFusionX/CVE-2021-26086

View Code ZIP pw:eip

nomisec WORKING POC

by Official-BlackHat13 · poc

https://github.com/Official-BlackHat13/CVE-2021-26086

View Code ZIP pw:eip

nomisec WORKING POC

by Jeromeyoung · poc

https://github.com/Jeromeyoung/CVE-2021-26086

View Code ZIP pw:eip

Nuclei Templates (1)

Atlassian Jira Limited - Local File Inclusion

MEDIUMby cocxanh

Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira"

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html

[Issue Tracking, Vendor Advisory] https://jira.atlassian.com/browse/JRASERVER-72695

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26086

Scores

CVSS v3 5.3

EPSS 0.9419

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CISA KEV 2024-11-12

VulnCheck KEV 2023-11-18

InTheWild.io 2024-11-12

ENISA EUVD EUVD-2021-12907

CWE

CWE-22

Status published

Products (2)

atlassian/jira_data_center < 8.5.14

atlassian/jira_server < 8.5.14

Published Aug 16, 2021

KEV Added Nov 12, 2024

Tracked Since Feb 18, 2026