Limited Remote File Read/Include in Jira Software Server
Description
A path traversal vulnerability exists in Atlassian Jira Server and Data Center that allows unauthenticated remote attackers to read specific files from the server through the /WEB-INF/web.xml endpoint. This vulnerability affects versions prior to 8.5.14, versions 8.6.0 through 8.13.5, and versions 8.14.0 through 8.16.0.
Affected versions:
version < 8.5.14
8.6.0 <= version < 8.13.6
8.14.0 <= version < 8.16.1
Fixed versions:
8.5.14
8.13.6
8.16.1
8.17.0
Remediation
Immediately upgrade your Atlassian Jira Server or Data Center installation to a fixed version based on your current release branch:
1. For versions below 8.5.14: Upgrade to version 8.5.14 or later
2. For versions 8.6.0 to 8.13.5: Upgrade to version 8.13.6 or later
3. For versions 8.14.0 to 8.16.0: Upgrade to version 8.16.1 or later
4. Alternatively, upgrade to version 8.17.0 or the latest available version
Before upgrading, review Atlassian's upgrade documentation and test the upgrade process in a non-production environment. As a temporary mitigation if immediate patching is not feasible, implement network-level access controls to restrict access to the Jira instance to trusted IP addresses only, though this should not be considered a permanent solution.