Infosysta Jira 1.6.13_J8 Project List Authentication Bypass

2019.10.29
Credit: Erik Steltzner
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2019-16909
CWE: N/A


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-042 Product: In-App & Desktop Notification for Jira Manufacturer: Infosysta Affected Version(s): 1.6.13_J8 Tested Version(s): 1.6.13_J8 Vulnerability Type: Authentication/Authorization Bypass Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2019-09-24 Solution Date: 2019-10-01 Public Disclosure: 2019-10-23 CVE Reference: CVE-2019-16908, CVE-2019-16909 Author of Advisory: Erik Steltzner, SySS GmbH Fabian Krone, SySS GmbH Sascha Heider, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: In-App & Desktop Notification for Jira is a Plug-in that displays email notification from Jira directly within the application. The manufacturer describes the product as follows (see [1]): "In-app & Desktop Notifications for Jira app allows you to get all of Jira's email notifications in front of you. Now you won't have to search through all your emails to check for a specific event in Jira, but all what you need to do is to check the notification section in Jira and see all events that happened in Jira and are related to you. You will also receive instant Desktop notifications as well as you will be able to add comments to the tickets directly from the notification." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to view all projects within Jira without authentication/authorization. Furthermore it is possible to view all projects within Jira as a logged in user even though no permission was granted to these projects. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the following path it is possible to see all existing projects unauthenticated: /plugins/servlet/nfj/ProjectFilter?searchQuery= To see all projects authenticated, use the following path as logged in user: /plugins/servlet/nfj/NotificationSettings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Before delivering a reply, it should be checked whether a request has the necessary authorization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-09-10: Vulnerability discovered 2019-09-24: Vulnerability reported to manufacturer 2019-10-01: Patch released by manufacturer 2019-10-23: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for In-App & Desktop Notification for Jira https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira [2] SySS Security Advisory SYSS-2019-042 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-042.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Erik Steltzner, Fabian Krone and Sascha Heider of SySS GmbH. E-Mail: erik.steltzner@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc Key ID: 0x4C7979CE53163268 Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268 E-Mail: fabian.krone@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 E-Mail: sascha.heider@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc Key ID: 0x06C4F8D7FCE9AF94 Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl2wTyIACgkQTHl5zlMW Mmj0kA/8CrIl1eTH1kYuWVN0NVqWpGw4TcbkpBLKicKdiVnGUOVEcrDCM+lOI2ZG JmqmyheM0C1pGkfYaMGl7fqR2y4vgxfuUcv8Iz/U1HSAlZ+MqKaD32o6VW4DkobS K3OFE5/seV/2YCszw7v+OAqxw9Lz0ewQyQ1xH8d+iH9SY6gATJNfyknIFOIM9YrZ 9Yax774gLgVhrs0nWXeGyCO8pd6lYV0yS0gJDpQrac/bRSCQ5IdImuoJQ+ASl1QC Lx+H/MU1v3zjJ1nYKqdim+fhElWQxRe09S4myia0cRID5eN2Hxu+zHDiQF8POYt/ va3tfZblUsFZa9uI1z1IE1BuUsBmJuQqvasSHTIbFUO4EfIp0G9yBsPxyG4wCnzX 5wViCbbkBymX0Qronf0LvcNrY7+lovrGF2MtQLiQFXxs8UjcC5n3DqpVu9LISX/E +VIRJhJjUsCQo1S01K061mXATOv1maIhFmwYeno6SyAJ2z6/uWJh/KF/+7Zcoa9G LWjJDW9c3EfER7wRudLAYGiSol5O1tO/QZsNPFKXAivRgtWFG1uWPCssgNTN4qr5 Tqw9Er7OUipukoRRS87sduClUDMeFAn2UmJDTRes/hoftiPVTrEtPO/uH/9hCae4 6Fj7E4j7En0LjEau8vCEDd2Bebzb0bLUXEid528U5RwUqguNuuw= =Rfgo -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top