Jira - Sensitive Data Exposure Via Unauthenticated User
Our Pentester (Adam Willard) accessed the URL of a add-on in JIRA that allowed access to critical/sensitive information. This includes but is not limited to: • Architecture information • Usernames and Passwords • DNS changes • Information regarding vulnerabilities • User issues
URL: https://{URL}/secure/pl.com.tt.thescheduler.CreateScheduledIssue!default.jspa?issueId=201564
Steps to reproduce: 1. Login to JIRA 2. Open any issue 3. Open another browser and logout from JIRA 4. on the issue page - go to more and try to click on "schedule issue" 5. You should see the scheduler feature page open - we can access the step 2 by changing the number in the URL 6. Change the issue ID to one of the existing issue ID
Comments (9)
-
reporter -
- marked as critical
-
- changed status to open
Thank you for reporting this,
We are currently investigating this issue - I will update you on progress
Best regards,
Łukasz Modzelewski
-
reporter Any update on this ticket. Users are complaining about the scheduler feature. We have disabled the add-on currently to mitigate the risk.
-
- changed status to resolved
Thank you for your patience and we are sorry that you had to wait for so long.
We have fixed it. We also fixed some other minor issues. You can now enable The Scheduler.
Again, thank you for reporting this.
Best regards,
Łukasz
-
reporter Thank you for fixing the issue. Users are now forced to login when performing the scheduler action.
However one of the endpoint is still showing content in json format even with out login.
Please try to access the jira instance https://{jira instance url}/plugins/servlet/bit-storage/storymap/maps/_
-
reporter - changed status to new
Thank you for fixing the issue. Users are now forced to login when performing the scheduler action. However one of the endpoint is still showing content in json format even with out login. Please try to access the jira instance https://{jira instance url}/plugins/servlet/bit-storage/storymap/maps/_
-
Please check if you can access this page after disabling The Scheduler - because this link is not a part of our add-on.
On our test instances there is an error 404 on this page.
We believe latest update covered all endpoints
-
- changed status to closed
- Log in to comment
Please advise if there is any update on this issue.