Ready to Start Your Career?
March 19, 2019
3 Ways in which Jira Instances Can be Exploited
March 19, 2019
What is Jira?
Jira is an issue tracking product developed by Atlassian that allows bug tracking and agile project management. It is being actively used by large number of big and small companies for issue tracking.
The popularity of Jira has caused it a major target for hackers. We will discuss some ways in which your Jira instance can be compromised due to misconfigured Jira.
1. XSS via SSRF
This can be actively exploited in Jira < 7.3.5 versions. It may be exploited to leak aws credentials or we may rather escalate it to XSS.
If this url gets redirected to bing.com, that means the particular jira instance may be actively exploited for this vulneranbility.
We may try to get the aws credentials by inserting http://169.254.169.254/latest/meta-data/iam/security-credential after consumerUri= parameter.
If nothing is found, we can host a XSS page and call from the parameter to trigger the XSS.
If a jira instance allows the particular url https://jira.xyz.com/secure/popups/UserPickerBrowser.jspa, it possess a major breach of all the internal users along with their emails to any unauthenticated user. This bug was recently used to find internal employee details in a NASA jira instance.
In later version of Jira, Atlassian has patched this bug by asking unauthenticated users to login first.
3. Data Leak via Filters
An option contains in filters which allow "Sharing with the Public". Users sometime mistake it and think that it will be only visible to everyone inside the jira network. But in reality, it can be actually viewed by the public; i.e by any unautheticated user.
The employees may unknowingly leak company data via filter and issue headers.
Some examples are-
In later versions, it has been updated to include more filter options and to allow viewing only inside that is "Shared with Everyone" and not "Shared with Public." This can be changed via settings of jira dasboards.
Most sites continue to remain in the dark about such bugs. I have personally found many misconfigured Jira instances and. However not all companies will be ready to accept such bugs, untill we can show solid information about leaking of internal data.