The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
Attack Scenario
Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on this URL will be redirected to a different web site.
This feature cause an attacker to launch a phishing attack. Because many users only look at the domain name of a link before clicking on it and they will think they are going to a regular Jira page. But they are being redirected to a malicious or an external site.
JIRA site keep track of external links followed is to redirect the user from a local resource rather than linking directly to the external site. Here, instead of linking directly to an external site, a link points to redirect functionality at the local login.jsp page and passes in the os_destination as a parameter (allows you to redirect to any site).
If the user is already logged in, it doesn’t seem to matter which page the os_destination parameter is on. Even if it’s a page that doesn’t exist, it will still redirect the user immediately. For example:
https://jira.example.com/ThisCanBeAnything?os_destination=%2F%2Fatlassian.com
os_destination parameter
• Points to the page to redirect after a successful login
• The manipulation of the argument os_destination leads to a privilege escalation vulnerability (Redirect).