This issue is similar to 0e670633-bdda-4cee-9ffe-a74f774d2a42, but it is likely not a duplicate since it is on another endpoint and it is related to different entities.

The app can be used in JSM, and there are some security settings related to what JSM users can or can not do. I found that regardless of the settings, JSM customers can get all approval definitions (including those not available for JSM customers). An approval definition allows to add Webhook steps. I assume that webhooks usually secured with some authentication. The app allows to configure HTTP headers that will be sent to the Webhook and I assume that they are supposed to be used for authentication in the webhook. Since JSM customers can see all definitions, they can get the header values.

Steps to reproduce:

Part 1. Configuration

1. Log in as admin, enable Jira Service Management if it is not enabled

2. On the left-side panel click Apps -> Approval Path

3. Go to Settings -> General and enable Allow manual initiation of approvals

4. Go to Definitions

5. Click Create

6. Set any name

7. Select the JSM project in Space

8. Enable Available for JSM customers and Can be started by JSM customers

9. Click Add step -> and a Webhook step with filled headers parameter

10. Click Save definition

Part 2. The vulnerability

1. Go to https://<INSTANCE>.atlassian.net/servicedesk in an incognito browser window and sign up

2. Confirm email to complete sign up

3. Create any request and open it

4. Click on the eye button to view the definition

5. Go to requests history and find there a request to https://app.approval-path.com/connect/jira/rest/definition/<ID>?jwt=.... Search for "steps" in the response, find the webhook step and you will see the header value. Also, if the definition is not available to JSM users, you can change the id in the url to the definition id and get it