CVE-2021-26086

What is Atlassian Jira?

Atlassian Jira is a widely deployed enterprise project management and issue tracking platform used by development teams, IT operations, and business teams across hundreds of thousands of organizations. Jira Server and Data Center run on-premises with access to a company's project data, sprint planning, and bug tracking — often including sensitive information about software development processes, vulnerabilities under investigation, and security-related tickets. Because Jira is used by development and security teams, compromise of a Jira instance can reveal sensitive development plans, security vulnerability details, and internal processes. Path traversal vulnerabilities in Jira's file serving endpoints can expose internal Java web application configuration files.

Overview

CVE-2021-26086 is a path traversal vulnerability (CWE-22) in Atlassian Jira Server and Data Center. The /s/ endpoint, which serves static web resources, does not properly validate the requested file path — an unauthenticated attacker can traverse outside the intended static resource directory and read files such as /WEB-INF/web.xml. The web.xml file is the Java web application deployment descriptor and may contain database connection details, JNDI resource configurations, filter configurations, and other sensitive server-side settings. While the direct confidentiality impact is limited (C:L), the information exposed can enable further attacks. CISA added this to KEV in November 2024, over three years after the patch.

Affected Versions

Technical Details

• Root cause: Path traversal (CWE-22) in Jira's static resource servlet (/s/ endpoint) — the endpoint serves web resources from a specific directory but does not properly canonicalize or restrict the requested path; directory traversal sequences (encoded or plain ../) allow escaping the static resource directory and reading files from the Jira web application root, including protected directories
• WEB-INF exposure: The /WEB-INF/ directory in Java web applications is normally protected from direct HTTP access by the servlet container; Jira's path traversal in the /s/ endpoint bypasses this protection, exposing web.xml and potentially other WEB-INF files
• Sensitive data in web.xml: web.xml can contain database connection strings, JNDI datasource names, security filter configurations, and other settings that reveal Jira's internal architecture — useful for planning further attacks (SQL injection, authentication bypass, lateral movement)
• Unauthenticated exploitation (PR:N/UI:N/AC:L): No credentials are required; the path traversal is exploitable in a single HTTP GET request to the /s/ endpoint with a traversal sequence in the resource path
• Three-year KEV delay: CISA's November 2024 addition reflects continued exploitation of Jira servers running versions older than the 2021 patch — consistent with the large installed base of Jira Server instances that receive infrequent updates

Discovery

Reported to Atlassian and patched in July 2021 (Jira 8.13.9 and 8.18.1). CISA's November 2024 KEV addition indicates active exploitation was observed in 2024, suggesting threat actors were specifically targeting unpatched Jira Server instances for reconnaissance or as part of broader enterprise compromise campaigns.

Exploitation Context

Atlassian Jira is a common initial reconnaissance target in enterprise attacks because it contains detailed information about development processes, security issues, and internal tooling. CVE-2021-26086 allows unauthenticated file reads from the Jira server's file system via path traversal — specifically targeting web.xml which may contain database credentials or JNDI configuration that enables further exploitation. The three-year gap between patch and KEV addition reflects the long tail of Jira Server deployments running outdated versions, particularly in organizations that face change control challenges for Jira updates.

Remediation

1. Upgrade Jira Server or Data Center to 8.13.9, 8.18.1, or any later version — patches the /s/ path traversal
2. Check the current Jira version in Administration → System → System Information; versions older than the fixed releases are vulnerable
3. If immediate patching is not possible: implement a web application firewall rule to block requests to the Jira /s/ endpoint that contain directory traversal sequences (../, %2e%2e, %252e%252e, etc.)
4. Restrict internet access to Jira: Jira Server should not be publicly internet-accessible; restrict to VPN or corporate network access
5. Audit Jira web.xml and confirm that database credentials, if present, use indirect references (JNDI datasources) rather than plaintext credentials — limit the value of web.xml disclosure
6. Consider migration from Jira Server to Jira Data Center or Jira Cloud, which receive security updates with different cadences and managed infrastructure