Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Done
-
None
-
JIRAXPORTER 2021 Sprint 2
-
Description
Xporter Server is vulnerable to Broken Access Control -> Insecure Direct Object References by performing unauthorized operations on different exportations.
Steps to reproduce:
- Go to Global settings and disable the Xporter option from Export Menu (Issue Navigator)
- Login using a User non-admin
- Go to the Search Screen
- Intercept the request, using Burp Suite (http://localhost:8080/rest/jiraxporter/1.0/settings?key=XP_ISSUE_NAVIGATOR_EXPORT)
- Change the response:
{ "id" :16, "key" :"XP_ISSUE_NAVIGATOR_EXPORT", "value":"true" }
- Access the Xporter (Bulk Export) and should be able to perform the exportation
Targets:
- Single Export (please be aware the Key is different on the request)
- Bulk Export (please be aware the Key is different on the request)
- XLSX Current Fields
- JSD Queues
Also, validate:
- JSD
- Ticket Detail
- Ticket List
- Agile Boards
- Kanban Board
- Release board
- Active Sprint
- Backlog
- Structure
How to fix:
We should use Conditions on Atlassian plugin.xml instead of passing the value through REST API
