[XRAY-7391] Dependency "client-core" can cause server-side request forgery on Xray integrations - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
- security_vulnerability_high

Requirement Status:

UNCOVERED

Description

Xray integrations that are using client-core dependency can be vulnerable to server-side request forgery. We are trusting the client to provide a url of a Jira instance, but in fact the user can provide another url to perform a request to a private service in the network that is running Bamboo, Jenkins or TeamCity.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(34 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Paulo Alves

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 25/Mar/21 12:57 PM

Updated:: 3 days ago 9:53 AM

Resolved:: 08/Jul/21 12:20 PM

Time Tracking

Estimated:

Remaining:

Logged:

1d 4h 20m