CVE-2024-21685 - Unauthenticated Information Disclosure in Jira Core Data Center (Explained + Exploit Details)

Published: June 2024
CVSS Score: 7.4 (High Severity)
Affected: Jira Core Data Center 9.4., 9.12., 9.15.


Jira Core Data Center is a popular solution for enterprise project management, but in early 2024, Atlassian quietly addressed a dangerous vulnerability: CVE-2024-21685. This issue puts confidential business info at risk—*even if your Jira instance is not publicly accessible*.

9.15. (fixed in 9.16.)

It allows an unauthenticated attacker—that means anyone, not just Jira users!—to access sensitive information if a legitimate user interacts with a specially crafted attack. Attackers can leak confidential data, but cannot change or erase data, nor can they take down your Jira (i.e., no impact to integrity or availability, only confidentiality).

Bottom line: If you’re running one of the affected versions, sensitive information (like project names, internal URLs, exposed credentials, or more) could be viewable by a total outsider.

How Does CVE-2024-21685 Work?

While Atlassian did not disclose all the deep technical details (since this was found internally), the advisory makes it clear that this is an “information disclosure” that does not require authentication, but does require some form of *user interaction*.

That typically implies an attacker could send a crafted link to a Jira user, or embed a request in a forum, email, or web page that triggers a data leak from the Jira server when the link is clicked.

Victim Jira user clicks a link or loads a page (user interaction).

- Sensitive Jira data is disclosed to the attacker (via direct response, or attacker’s web server collecting the data).

Quick Test: Am I Vulnerable?

Warning: This is a demonstration for educational purposes only!
*Do not use against systems you don’t own.*

Below is a simple curl command to check if your Jira instance exposes sensitive info.

curl -i https://your-jira.example.com/rest/api/latest/serverInfo

If unauthenticated, this endpoint should NOT leak anything sensitive. However, during the window of this vulnerability, unexpected data might be returned, such as server version info or internal URLs.

(Replace your-jira.example.com with your Jira hostname.)

If you receive information like server version, internal hostnames, or settings without needing to log in, your Jira instance might be leaking sensitive information.

Based on public history of similar Jira vulnerabilities, here is a possible exploit workflow

1. Locate a vulnerable endpoint exposed by Jira, such as /rest/api/latest/ or /status.

Here’s how you might automate the test

import requests

url = "https://your-jira.example.com/rest/api/latest/serverInfo"
resp = requests.get(url)
if resp.status_code == 200 and "version" in resp.text:
    print("[!] Possible Data Leak! Response:")
    print(resp.text)
else:
    print("[-] Not vulnerable, or patched.")

Remember to replace with your Jira’s actual URL.

Remediation: How To Fix

Recommended action:
*Upgrade IMMEDIATELY* to a fixed version.

For 9.15.x: Upgrade to at least 9.16.

Links:
- Atlassian Download Center (Jira Core Data Center)
- Jira Core Data Center Release Notes

If you cannot upgrade right away, restrict network access to Jira, and monitor for any unexpected data requests or leaks.

# FAQ

Q: Am I affected if I use Jira Software or Jira Service Management?
A: This CVE specifically lists Jira Core Data Center, but similar vulnerabilities often overlap. Check your product and version.

Q: What kind of information is actually leaked?
A: Atlassian hasn’t shared exact details, but “serverInfo”, internal project metadata, plugin and version info, and user emails are all typical targets in similar Jira bugs.

Q: No known active exploits—am I safe for now?
A: Security bugs often go weaponized once details are publicly available. Patch ASAP even if there are “no known exploits.”

References

- CVE-2024-21685 Official CVE Record
- Atlassian Jira Security Advisories
- Atlassian Download Center
- Jira Core Data Center Release Notes

Final Advice

If your Jira is internet-accessible, prioritize this patch. <br>Even internal-only installs are at risk if attackers can phish users.

Stay up to date with Atlassian advisories, and regularly review who can access Jira endpoints.

If you have questions or need help, talk to your Atlassian support team immediately.
Better to patch now than face a leak later.

Timeline

Published on: 06/18/2024 17:15:51 UTC
Last modified on: 06/20/2024 12:44:01 UTC