A security researcher discovered attempts to download the ‘dbconfig.xmlpasswd’ file, which contains Jira’s database passwords, as part of the exploitation targeting the ‘Stagil navigation for Jira – Menus & Themes’ plugin.
These attacks originated from two different IP addresses, but the connection between them remains unclear, leading to suspicions about the purpose behind launching two large scans for the vulnerabilities in a short time span. The researcher, Johannes Ullrich from SANS, notes that while the scans use different user agents, it doesn’t necessarily mean they were launched by separate groups or individuals, and neither IP address is linked to a known threat group.
Furthermore, the vulnerabilities in the ‘Stagil navigation for Jira’ plugin, namely CVE-2023-26255 and CVE-2023-26256, have been publicly known since February, making them more susceptible to exploitation. The flaws allow attackers to manipulate certain endpoints to traverse and read files on the server, potentially gaining access to sensitive information, including credentials and application data.
Due to the ongoing exploitation attempts and the public availability of proof-of-concept exploits, Jira customers using the affected plugin are strongly advised to update to the patched version promptly to safeguard their systems.
As attackers continue their efforts to target the plugin, Jira administrators must prioritize security measures and apply the necessary updates to protect their systems from potential breaches.
Keeping the ‘Stagil navigation for Jira – Menus & Themes’ plugin up to date is crucial to prevent unauthorized access and potential data leaks, especially given the increase in cyberattacks on various platforms and services in recent times.
