AMS-27768 - Unauthorized Access to Private Test Runs Fields in Jira Projects

Summary

It has been identified that lower privileged users (jira-software-users) can bypass Jira Project Permissions and access private Test Runs fields, such as `comment, testVersionId, executedById, assigneeId, startedOn, finishedOn, stepsProgress, status, customFields`.

Details

As a proof of concept, the following image illustrates a Test Execution (PRIVATE-10) in the *Private* Project created by the administrator, whose project is restricted to Jira's *org-admins*.


Note that the least privileged user (ID: *5d5d89e5c6318a0d6cd6a8ea*) does not have access to the private project.

Furthermore, note in the following images that it was possible to access the information of the aforementioned fields of the PRIVATE-10 Test Run, using the user's *5d5d89e5c6318a0d6cd6a8ea* session token:


Impact

An attacker, authenticated as a lower-privilege user, can access multiple Private Test Runs information which may include logs (in comments), private code, credentials, financial information, among others.

1. 1. 1. Steps to Reproduce

*Xray Setup*

1. Log in as Administrator and install the "XRAY Test Management" plugin on Jira Cloud.
2. Access a private project then navigate to *project settings -> Apps -> XRAY Settings*
3. Click on *Add Xray issue types*
4. Then, navigate to the project homepage
5. Access the plugin in *Testing Board* button
6. In the plugin Menu, Navigate to *Test Execution*
7. Create a new *Test Execution*
8. Right-click the Test Execution and select open
9. Click on *Add Tests* and create a new Test
11. Click on the *play button* to execute the test
12. In the *Findings* section, add a new comment

—

13. In another browser, log in as a user with lower privileges
14. Navigate to *Apps -> XRAY*
15. In Burp Suite, copy this user's JWT from the Authorization header present in requests sent to `xray.cloud.getxray.app`
16. Submit the following request after replacing *{JWT}* with this user's JWT and *{TEST-RUN-ID}* with the identifier of the Test Run from the private project

> Here I consider that you created the test case after creating the test execution. In this case, the value of the *testIssueId* parameter is the identifier of the Test Case, and the value of the *testExecIssueIds* parameter is the identifier of the Test Execution.

```
POST /api/internal/testruns?testIssueId=10001 HTTP/1.1
Host: xray.cloud.getxray.app
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: application/json, text/plain, /
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Access-Control-Allow-Origin: *
X-Acpt: {JWT}
Content-Type: application/json;charset=utf-8
Content-Length: 172
Origin: https://xray.cloud.getxray.app

,"fields":["comment","testVersionId","executedById","assigneeId","startedOn","finishedOn","stepsProgress","status","customFields"]}
```

> Note that I have already filled in the value of the *testIssueId* parameter with 10001, and the value of the *testExecIssueIds* parameter with 10000. 

1. Then increment both parameters by 1 (e.g. *testIssueId* 10002 and *testExecIssueIds* 10001) and resend the request. 
2. Repeat this process until you have the correct identifiers for the private test run.
18. Upon hitting the correct identifier, observe that the server of the application returns the information of the Test Run from the private project.