Bugcrowd issues Issue Type Icon AP-1961

[Bugcrowd] JSM customers can override "JSM public comments enabled" setting and get comments

Description

Jira users can configure an approval when they start a new approval, this allows to override JSM public comments enabled setting. However, although JSM customers do not have this option on UI, the server allow them to use the endpoint and use this feature. This allows them to override JSM public comments enabled setting.

Steps to reproduce:

Part 1. Configuration

  1. Log in as admin, enable Jira Service Management if it is not enabled

  2. On the left-side panel click Apps -> Approval Path

  3. Go to Settings -> General and enable Allow manual initiation of approvals

  4. Go to Settings -> JSM, enable Enable Jira Service Management Customer access and disable Public comment visibility

  5. Go to Definitions

  6. Click Create

  7. Set any name

  8. Select the JSM project in Space

  9. Enable Available for JSM customers and Can be started by JSM customers, disable JSM public comments enabled

  10. Click Add step -> and the User step, select the current user in the step settings

  11. Click Save definition

Part 2. The vulnerability

  1. Go to https://<INSTANCE>.atlassian.net/servicedesk in an incognito browser window and sign up

  2. Confirm email to complete sign up

  3. Create any request and open it

  4. Ensure that you have only Start and View definition buttons in the Actions column

  5. Go to Burp Suite -> Proxy -> Proxy settings and add 2 match and replace rules:

    • replace Allowed":false by Allowed":true in response body

    • replace Enabled":false by Enabled":true in response body

  6. Reload the page

  7. Click Parametrize -> enable JSM public comments enabled and click Start

  8. Open the ticket as admin

  9. On the right-side panel expand Approval Path

  10. Enable Add comment and approve with comment

  11. The app will add a public comment with the provided comment. If you start the approval with Start button (the only available for JSM customers), the comment will be added as internal note not available for JSM customers (you can repeat the steps but use the Start button to ensure). So, the customer was able to override the setting

Activity

Show:
Adam Lipiński 19 January 2026, 15:55

@Piotr Haraburda Okay, then this is Ready to Merge :check_mark:

Piotr Haraburda 19 January 2026, 14:57

@Adam Lipiński I talked with @Kamil Zarychta and we can ignore that as long as it is checked on backend. There is no easy solution to prevent user from getting access to parametrize view when he changes response body.

Adam Lipiński 19 January 2026, 12:57

QA pass completed. Even if the user “hacks” access to parametrize settings and change anything, the approval will still start with the default settings.

I’ve also confirm that JSM admin can still parametrize the approval without issues.

One thing that I am not sure of if it is okay that we still allow enabling parametrize UI to be seen by JSM customers with the “match and replace” tool (the below steps)

  1. Go to Burp Suite -> Proxy -> Proxy settings and add 2 match and replace rules:

    • replace Allowed":false by Allowed":true in response body

    • replace Enabled":false by Enabled":true in response body

  2. Reload the page

@Kamil Zarychta should I create a new ticket for this or is this okay as long as the app does not accept the parametrization performed by the JSM customer?

Adam Lipiński 15 January 2026, 11:09

The issue has been successfully reproduced by QA with provided steps.

Released

Details

Priority

Priority: HighHigh

Created

15 January 2026, 11:54

Updated

30 January 2026, 14:07
Created: 15 January 2026, 10:54 Updated: 30 January 2026, 13:07