ESFJ-709
TCP Port Enumeration Vulnerability in Custom Email feature of External Share Plugin for Jira Cloud
Description
Bugcrowd: https://tracker.bugcrowd.com/warsawdynamics/submissions/27c4c499-c47b-4b18-a22f-d7ecfe839c74
Applies also to CES. Ask Krzysztof Surdacki, as he fixed similar issue in Contract Signature
# **Details** It was possible to enumerate internal TCP ports of the server for the External Share for Jira Cloud plugin using the **Custom Email** feature. ## **Evidence**: When the host `localtest.me` and TCP port `22` were provided, there was a delay of 3,840 milliseconds, suggesting that the port is open but communication with the service was not possible, as illustrated below:  Conversely, with the same host `localtest.me` and TCP port `65535` (a port likely closed locally), a delay of 846 milliseconds was observed when requesting the server to send a share via email, as depicted below:  Thus, it is evident that the response time can be utilized to enumerate internal TCP ports when requesting an email share. ## **Impact**: An attacker can exploit this vulnerability to infer the status (open/closed) of internal TCP ports on the server. This information can be used as a precursor to more advanced attacks, potentially compromising the security of the server. ## **Steps to Reproduce**: 1. Authenticate as a Jira Cloud administrator and install the External Share plugin. 2. Navigate to `Apps > External Share > Global Settings > Custom Email`. 3. In the `host` field, input `localtest.me`. 4. For the `port` field, input `22`. 5. In the `username` field, input any email address. 6. Save the changes. In another browser tab, navigate to any issue page. 7. Click on the three-dot menu and select `Create External Share`. 8. Click on `Send via Email`. 9. In the `to` field, write any email address. 10. Start the Burp Suite proxy. 11. In the browser, click `Send`. 12. In Burp Suite, identify the request `POST /api/mail HTTP/1.1 Host: jira.external-share.com` and forward it to the repeater. 13. In the repeater, send the request and notice that the response takes about 3,800ms. 14. In the browser, change the value of the `port` field to `65535` and save. 15. Then, again in the repeater, send the request and note it takes around 800ms to return.
Activity
Details
Priority
Medium
@Mariusz Szymański
Unable to add local host, no regression - QA environment. Users may still use this feature with proper host type.
Hello @Mariusz Szymański,
Please merge code to dev branch.
This is the best moment to add more information that can be helpful to prepare release notes.
Can you prepare short overview of change that can be used in release notes?
Please provide short GIF that showcase feature.
If GIF make no sense, can you provide image that highlights feature that can be used in release notes (cropped & annotated)?
Hello @Mariusz Szymański ]
This is the best moment to add more information that can be helpful for tester.
What areas are affected?
What are potential edge cases?
Was it checked for XSS problems?
Does change affect security, is new data exposed?
Please attach - Before / After screenshot if possible.
For testers: After this fix, users can no longer provide local hosts as custom email host. It also verifies if port is specified within port range. The change applies both to JES and CES.
Hello @Mariusz Szymański,
Change was reviewed and approved.
Task is ready to be deployed to QA.
Once it is deployed to QA please move ticket to "To Test"
Thank you!
Hello @Krzysztof Bogdan,
Task is ready for review.
@Mariusz Szymański please make sure reviewer
have easy access to contend to be reviewed.
If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.