Atlassian JIRA < 6.0.4 Arbitrary File Creation

medium Nessus Plugin ID 73272


The remote web server hosts a web application that is potentially affected by an arbitrary file creation vulnerability.


According to its self-reported version number, the version of Atlassian JIRA hosted on the remote web server is prior to version 6.0.4. It is, therefore, potentially affected by an arbitrary file creation vulnerability due to a flaw in the Issue Collector plugin in which the 'filename' POST parameter is not properly sanitized, which allows traversing outside a restricted path. A remote, unauthenticated attacker, using a crafted request, can exploit this vulnerability to create files in arbitrary directories in the JIRA installation.

This vulnerability only affects JIRA installations running on the Windows OS.

Note that the Issue Collector plugin for JIRA is also affected by this vulnerability; however, Nessus did not did confirm that this plugin is installed.


Upgrade to JIRA 6.0.4 or later, and upgrade or disable the Issue Collector plugin.

See Also

Plugin Details

Severity: Medium

ID: 73272

File Name: jira_6_0_4.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 3/31/2014

Updated: 6/5/2024

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 4.9


Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:atlassian:jira

Required KB Items: Settings/ParanoidReport, installed_sw/Atlassian JIRA

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/26/2014

Vulnerability Publication Date: 2/26/2014

Exploitable With

Core Impact

Metasploit (JIRA Issues Collector Directory Traversal)

Reference Information

CVE: CVE-2014-2314

BID: 65849