AMS-27652 - Bypassing access control using X-real-Ip header allows recovering activity from private issues.

What is this ticket?

This ticket tracks the corresponding Bugcrowd submission acc0e8a8-36f4-4743-8129-459895523398. Please make a note of the triage and remediation due dates for this ticket.
You are not expected to update the status of the ticket. We will automatically sync the status of the Bugcrowd submission for you. Please continue to accept, reject, and close submissions directly in the Bugcrowd portal.

What can I do with this ticket?

:one: Ensure that you are actioning on the submission within the Triage Due Date & Remediation Due Date. Learn more about our Bug Fix Policy here.
:two: Request an SLA extension if you need more time. Learn more about SLA management here.
:three: Engage with our Atlassian Security team by simply commenting on the ticket.
:four: Use our partner dashboard to monitor all your SLA’s at one place and analyze trends.

Ticket updates:

If you are interested in receiving notifications on all ticket updates, please add yourself to the watchers list.

Requesting a SLA extension:

If you need to request an extension to fix the vulnerability, transition this ticket to the
EXTENSION REQUESTED
status.

SLA violation notifications:

You will be notified through email and this ticket as the SLA Due dates approach.

If you would like to de-list/retire your marketplace app, please create a request here. After you have created the request, please comment with a link to the ticket. Lastly, transition this ticket to the

ATLASSIAN INPUT REQUESTED
status.
Need any other help? Please comment on this ticket or you can create a ticket here.

Bugcrowd Submission Info:

1. 1. Summary

It has been identified that lower privileged users (jira-software-users) can bypass Xray access control and Jira Project Permissions, performing unauthorized actions on items of private projects, such as reading Test Runs Activities and changing Test Runs Status.

The attached video demonstrates the reproduction of the vulnerability.

1. 1. Details

As a proof of concept, in the following image, I illustrate a Test Execution (PRIVATE-21) in the *Private* Project created by the administrator, whose project is restricted to jira's *org-admins*.


Note that the least privileged user (ID: *5d5d89e5c6318a0d6cd6a8ea*) does not have access to the private project.

Furthermore, note in the following images that it was possible to access the PRIVATE-21 Test Run Activity, after sending multiple times the following request, with the *X-Real-Ip: 127.0.0.1* header and the user's *5d5d89e5c6318a0d6cd6a8ea* session token:


1. 1. 1. Impact

An attacker, authenticated as a lower-privilege user, can bypass Xray Access Control and Jira project permissions to access Private Issues (Test Runs) activity which may include logs, private code, credentials, financial information, among others.

1. 1. 1. Steps to Reproduce

*Xray Setup*

1. Log in as Administrator and install the "XRAY Test Management" plugin on Jira Cloud.
2. Access a private project then navigate to *project settings -> Apps -> XRAY Settings*
3. Click on *Add Xray issue types*
4. Then, navigate to the project homepage
5. Access the plugin in *Testing Board* button
6. In plugin Menu, Navigate to *Test Execution*
7. Create a new *Test Execution*
8. Right-click the test Execution and select open
9. Click on *Add Tests* and create a new Test
10. Start Burp Suite proxy
11. Click on the *play button* to execute the test
12. In the *Findings* section, add a new attachment

—
> To facilitate reproduction in Burp Suite Proxy, identify the request submitted to `https://xray.cloud.getxray.app/api/internal/testRun/

{TEST-RUN-ID}/comment` and copy the value of **{TEST-RUN-ID}

** represented by this placeholder.

—

13. In another browser, log in as a user with lower privileges
14. Navigate to *Apps -> XRAY*
15. In Burp Suite, copy this user's JWT from the Authorization header present in requests sent to `xray.cloud.getxray.app`
16. Submit the following request after replacing **

{JWT}** with this user's JWT and **{TEST-RUN-ID}** with the identifier of the Test Run from the private project

```
GET /api/internal/testRun/{TEST-RUN-ID}/activity?limit=10&isArchived=false HTTP/1.1
Host: xray.cloud.getxray.app
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: application/json, text/plain, /
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Allow-Origin: *
X-Acpt: {JWT}

X-Real-Ip: 127.0.0.1
```

17. Keep sending the request multiple times, until the server returns the activity of the private issue.

1. 1. 1. Note
         It's important to highlight that an attacker can obtain the Test Run identifier in several ways. One method is by using the following tool, which allows for the retrieval of valid MongoIDs, as MongoDB objects are generated in a predictable manner.

• https://github.com/andresriancho/mongo-objectid-predict(https://github.com/andresriancho/mongo-objectid-predict)