[XPORTER-3644] IDOR Leads to unauthorized user perform operations on templates, audit log and settings - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: 6.6.7
Fix Version/s: 6.6.8
Component/s: Security
Labels:
- security_vulnerability_high
- vulnerability

Sprint:
JIRAXPORTER 2021 Sprint 1, JIRAXPORTER 2021 Sprint 2
Requirement Status:
OK
- 1

Description

Xporter Server is vulnerable to Broken Access Control -> Insecure Direct Object References by performing unauthorized operations on administration services.

Steps to reproduce:

Create one template on jira administration
Create a user without jira administration permissions
List the templates by making a GET http request to http://localhost:8080/rest/jiraxporter/1.0/templates
Delete a template by making a DELETE http request to http://localhost:8080/rest/jiraxporter/1.0/templates/ {id}

Targets:

Templates
Settings Get http request http://localhost:8080/jira/rest/jiraxporter/1.0/settings
Audit logs Get http request

Remediation steps: Implement a middleware to verify user permissions (JiraAdminRequired annotation).

This issue should also be checked as a Jira Service Desk User.

Attachments

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Andre Fernandes Rodrigues

Reporter:: Paulo Alves

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 12/Feb/21 10:34 AM

Updated:: 23/Mar/21 9:45 AM

Resolved:: 19/Mar/21 5:32 PM

Time Tracking

Estimated:

0m

Remaining:

0m

Logged:

1w 1d 5h 25m