Golive
Monthly
Server-Side Request Forgery in Apwide Golive 10.2.0 for Jira allows an attacker to abuse the plugin's test webhook function to induce the server to issue HTTP requests to arbitrary internal or external hosts. The vulnerability carries a scope-changed CVSS vector (S:C), meaning requests escape the plugin's trust boundary and can reach internal network resources invisible to the attacker. With an EPSS of 0.29% (20th percentile) and no active exploitation confirmed in CISA KEV, real-world risk is currently low, but the SSRF primitive could enable internal service enumeration or SSRF-chained attacks against cloud metadata endpoints on Jira-hosting infrastructure.
Server-Side Request Forgery in Apwide Golive 10.2.0 for Jira allows an attacker to abuse the plugin's test webhook function to induce the server to issue HTTP requests to arbitrary internal or external hosts. The vulnerability carries a scope-changed CVSS vector (S:C), meaning requests escape the plugin's trust boundary and can reach internal network resources invisible to the attacker. With an EPSS of 0.29% (20th percentile) and no active exploitation confirmed in CISA KEV, real-world risk is currently low, but the SSRF primitive could enable internal service enumeration or SSRF-chained attacks against cloud metadata endpoints on Jira-hosting infrastructure.