what you don't know can hurt you

Infosysta Jira 1.6.13_J8 Project List Authentication Bypass

Infosysta Jira 1.6.13_J8 Project List Authentication Bypass
Posted Oct 28, 2019
Authored by Erik Steltzner, Sascha Heider, Fabian Krone

Infosysta Jira version 1.6.13_J8 suffers from an authentication bypass vulnerability that allows you to see project lists.

tags | exploit, bypass
advisories | CVE-2019-16908, CVE-2019-16909
MD5 | 58b9e2b857edf27d3b79eed3151ffa98

Infosysta Jira 1.6.13_J8 Project List Authentication Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-042
Product: In-App & Desktop Notification for Jira
Manufacturer: Infosysta
Affected Version(s): 1.6.13_J8
Tested Version(s): 1.6.13_J8
Vulnerability Type: Authentication/Authorization Bypass
Risk Level: Medium
Solution Status: Closed
Manufacturer Notification: 2019-09-24
Solution Date: 2019-10-01
Public Disclosure: 2019-10-23
CVE Reference: CVE-2019-16908, CVE-2019-16909
Author of Advisory:
Erik Steltzner, SySS GmbH
Fabian Krone, SySS GmbH
Sascha Heider, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

In-App & Desktop Notification for Jira is a Plug-in that displays email notification
from Jira directly within the application.

The manufacturer describes the product as follows (see [1]):

"In-app & Desktop Notifications for Jira app allows you to get all of Jira's
email notifications in front of you. Now you won't have to search through all
your emails to check for a specific event in Jira, but all what you need to do
is to check the notification section in Jira and see all events that happened
in Jira and are related to you.
You will also receive instant Desktop notifications as well as you will be able
to add comments to the tickets directly from the notification."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to view all projects within Jira without authentication/authorization.
Furthermore it is possible to view all projects within Jira as a logged in user even
though no permission was granted to these projects.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following path it is possible to see all existing projects unauthenticated:
/plugins/servlet/nfj/ProjectFilter?searchQuery=

To see all projects authenticated, use the following path as logged in user:
/plugins/servlet/nfj/NotificationSettings

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Before delivering a reply, it should be checked whether a
request has the necessary authorization.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-09-10: Vulnerability discovered
2019-09-24: Vulnerability reported to manufacturer
2019-10-01: Patch released by manufacturer
2019-10-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for In-App & Desktop Notification for Jira
https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira
[2] SySS Security Advisory SYSS-2019-042
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-042.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner, Fabian Krone
and Sascha Heider of SySS GmbH.

E-Mail: erik.steltzner@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: fabian.krone@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc
Key ID: 0xBFDF30ABD10EA0F4
Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4

E-Mail: sascha.heider@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc
Key ID: 0x06C4F8D7FCE9AF94
Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl2wTyIACgkQTHl5zlMW
Mmj0kA/8CrIl1eTH1kYuWVN0NVqWpGw4TcbkpBLKicKdiVnGUOVEcrDCM+lOI2ZG
JmqmyheM0C1pGkfYaMGl7fqR2y4vgxfuUcv8Iz/U1HSAlZ+MqKaD32o6VW4DkobS
K3OFE5/seV/2YCszw7v+OAqxw9Lz0ewQyQ1xH8d+iH9SY6gATJNfyknIFOIM9YrZ
9Yax774gLgVhrs0nWXeGyCO8pd6lYV0yS0gJDpQrac/bRSCQ5IdImuoJQ+ASl1QC
Lx+H/MU1v3zjJ1nYKqdim+fhElWQxRe09S4myia0cRID5eN2Hxu+zHDiQF8POYt/
va3tfZblUsFZa9uI1z1IE1BuUsBmJuQqvasSHTIbFUO4EfIp0G9yBsPxyG4wCnzX
5wViCbbkBymX0Qronf0LvcNrY7+lovrGF2MtQLiQFXxs8UjcC5n3DqpVu9LISX/E
+VIRJhJjUsCQo1S01K061mXATOv1maIhFmwYeno6SyAJ2z6/uWJh/KF/+7Zcoa9G
LWjJDW9c3EfER7wRudLAYGiSol5O1tO/QZsNPFKXAivRgtWFG1uWPCssgNTN4qr5
Tqw9Er7OUipukoRRS87sduClUDMeFAn2UmJDTRes/hoftiPVTrEtPO/uH/9hCae4
6Fj7E4j7En0LjEau8vCEDd2Bebzb0bLUXEid528U5RwUqguNuuw=
=Rfgo
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close