AMS-27766 - Horizontal Privilege Escalation in Delete Scheduled Reports

Summary

During my analysis of the Xray plugin, it was identified that users with lower privileges in Jira can delete scheduled reports belonging to users from any other project on Jira Cloud, including private projects.

Details

Initially, as a proof of concept, the following image illustrates a Jira instance in which the PRIVATE project is private and accessible only to the *org-admins* group.

> Note that a scheduled report was created in this private project.


Subsequently, authenticated as a user with lower privileges, a team-managed project was created. Through the settings of this project, a scheduled report was also created. Next, observe in the following images that by requesting to delete the scheduled report, it was possible to delete the report from the private project after merely providing the identifier of the scheduled report in the *scheduleReportId* parameter, using the session token of the user with lower privileges:


• Scheduled report deleted


Impact

An attacker, authenticated as a user with lower privileges, can delete scheduled reports of other users/projects/teams, thereby enabling their scheduled reports, since the plugin only allows 2 scheduled reports to be active in a Jira instance. Additionally, the deletion of scheduled reports belonging to other users can harm their work.

1. 1. 1. Steps to Reproduce

*Xporter Setup*

1. Log in as Administrator and install the "Xporter" plugin on Jira Cloud.
2. Navigate to any private project.
3. Access *project settings > Xporter > Scheduled report*.
4. Create a new scheduled report for that project (fill in the forms with example data, such as any name, or the JQL `issuetype = task`).
5. Save the scheduled report and enable it.

—

>To facilitate its reproduction, identify in the burp suite the request submitted to `https://xporter.cloud.getxporter.app/api/scheduledReports?projectId=\{PRIVATE-PROJECT-ID}&page=0` and copy the identifier of the private project's scheduled report in the *id* parameter.

—

1. Log in as a regular user and create a new team-managed project.
2. Navigate to *Xporter > Scheduled report* in that project's settings.
3. Start Burp Suite.
4. Create a new scheduled report configuration.
5. Then, click to delete the scheduled report and intercept the POST `https://xporter.cloud.getxporter.app/api/scheduledReports/\{ATTACKER-REPORT-ID}?projectId={ATTACKER-PROJECT-ID}` request with Burp Suite.
6. In Burp Suite, send the request to repeater.
7. In repeater, replace the report ID in the URL with the private project report ID.
8. Send the request.
9. Note that the application server returns an OK message. Access *scheduled report* in the private project's settings and observe that the report was deleted.

1. 1. 1. Note
         It's important to highlight that an attacker can obtain the scheduled report identifier in several ways. One method is by using the following tool, which allows for the retrieval of valid MongoIDs, as MongoDB objects are generated in a predictable manner.

• https://github.com/andresriancho/mongo-objectid-predict(https://github.com/andresriancho/mongo-objectid-predict)