Jira - Sensitive Data Exposure Via Unauthenticated User

Issue #194 closed
RK Allam created an issue

Our Pentester (Adam Willard) accessed the URL of a add-on in JIRA that allowed access to critical/sensitive information. This includes but is not limited to: • Architecture information • Usernames and Passwords • DNS changes • Information regarding vulnerabilities • User issues

URL: https://{URL}/secure/pl.com.tt.thescheduler.CreateScheduledIssue!default.jspa?issueId=201564

Steps to reproduce: 1. Login to JIRA 2. Open any issue 3. Open another browser and logout from JIRA 4. on the issue page - go to more and try to click on "schedule issue" 5. You should see the scheduler feature page open - we can access the step 2 by changing the number in the URL 6. Change the issue ID to one of the existing issue ID

Comments (9)

  1. Łukasz Modzelewski
    • changed status to open

    Thank you for reporting this,

    We are currently investigating this issue - I will update you on progress

    Best regards,

    Łukasz Modzelewski

  2. RK Allam reporter

    Any update on this ticket. Users are complaining about the scheduler feature. We have disabled the add-on currently to mitigate the risk.

  3. Łukasz Modzelewski

    Thank you for your patience and we are sorry that you had to wait for so long.

    We have fixed it. We also fixed some other minor issues. You can now enable The Scheduler.

    Again, thank you for reporting this.

    Best regards,

    Łukasz

  4. RK Allam reporter

    Thank you for fixing the issue. Users are now forced to login when performing the scheduler action.

    However one of the endpoint is still showing content in json format even with out login.

    Please try to access the jira instance https://{jira instance url}/plugins/servlet/bit-storage/storymap/maps/_

  5. RK Allam reporter
    • changed status to new

    Thank you for fixing the issue. Users are now forced to login when performing the scheduler action. However one of the endpoint is still showing content in json format even with out login. Please try to access the jira instance https://{jira instance url}/plugins/servlet/bit-storage/storymap/maps/_

  6. Łukasz Modzelewski

    Please check if you can access this page after disabling The Scheduler - because this link is not a part of our add-on.

    On our test instances there is an error 404 on this page.

    We believe latest update covered all endpoints

  7. Log in to comment