What’s new
This release delivers a substantial expansion of Jiraffe’s exploit coverage, adding multiple high‑impact and low‑noise Jira vulnerabilities across disclosure, XSS, SSRF, and brute‑force classes. It also includes UX refinements and presentation improvements ahead of the upcoming LTS.
Exploit modules
Added a broad set of new Jira exploit checks spanning multiple severity levels:
- CVE-2017-9506: OAuth
IconUriServletSSRF leading to internal resource access - CVE-2018-5230: Reflected XSS via Velocity templates
- CVE-2018-20824: Wallboard dashboard XSS
- CVE-2019-3396: Tinymce macro template path traversal (read‑only check)
- CVE-2019-3402: Labels gadget XSS
- CVE-2019-3403: Unauthenticated REST user picker enumeration
- CVE-2019-8442: Jira Maven
pom.xmldisclosure - CVE-2019-8443: Alternate‑path Jira Maven
pom.xmldisclosure - CVE-2019-8451: Pre‑authenticated SSRF via gadgets
makeRequest - CVE-2019-11581: Velocity template injection leading to RCE
- CVE-2020-14178: Unauthenticated project existence disclosure
- CVE-2020-14179: Unauthenticated QueryComponent metadata disclosure
- CVE-2020-14181: Unauthenticated user hover information disclosure
- CVE-2020-36287: Configurable gadget preferences brute‑force module
- CVE-2020-36289: QueryComponentRendererValue information disclosure
These modules emphasize safe detection, clear severity signaling, and recon‑first workflows, while introducing controlled intrusive behavior only where explicitly required.
CLI & UX
- Improved banner color stacking for clearer inline highlights
- Added optional
no-resetflag to styling helpers for finer ANSI color control - Refined inline output consistency across exploit modules
Documentation
- Updated
READMEwith the new demo - Retired legacy branding assets
- Refined CVE exploit summaries for accuracy and consistency
Stability notes
- This release is intended as a stable baseline ahead of the upcoming LTS
- No breaking changes to existing recon or exploit interfaces
- All new exploit modules follow non‑destructive defaults unless explicitly noted
Changelog: v2.1.8...v2.1.9