by Rodrigo Gava
LFI (Local File Inclusion) Issue found in Jira Server and Data Center “Better PDF Exporter” Plugin
Our research group has identified a significant vulnerability in the widely used Better PDF Exporter plugin for Jira Server and Jira Data Center. It’s worth noting that this plugin is highlighted as a “Staff Pick” on the Atlassian Marketplace and has amassed thousands of installations.
CVE Identifier: CVE-2023-42361 Product: Better PDF Exporter for Jira Server and Jira Data Center (Note: Jira Cloud version is NOT affected) Version Affected: Up to 10.3.0 Patch Status: Version 11.0.0, released on 11/10/2023, addresses this issue. All prior versions are vulnerable.
- Type of Attack: Remote
- Problem Type: Local File Inclusion (LFI) and Server-side request forgery (SSRF)
- Impact on Privileges: Escalation of privileges
- Data Exposure: Risk of information disclosure
- Other Impacts: Bypassing IP whitelisting and potential for network reconnaissance
The described versions of the plugin manifest a vulnerability when processing certain malicious image attachments. Within Jira Server or Data Center, a crafted image triggers a flaw during the PDF export process facilitated by the Better PDF Exporter plugin. This allows unauthorized users to access internal files on the local system, even revealing attachments from other issues irrespective of their set permissions – a classic case of Local File Inclusion (LFI). Additionally, this vulnerability provides potential adversaries the means to detect web applications on the internal network and make arbitrary server-side requests, a trait of Server-Side Request Forgery (SSRF).
Given the widespread use and critical nature of this vulnerability, we strongly urge users of the affected versions to upgrade to version 11.0.0 or a later version immediately. If operating on an older version, exercise extreme caution, particularly with image attachments. . A detailed article with a proof of concept surrounding this vulnerability will be released in the near future, shedding more light on the issue.