Uploaded image for project: 'Xray for Jira Cloud'
  1. Xray for Jira Cloud
  2. XRAYCLOUD-7429

AMS-27673 - Unauthorized Access to Private Project Environments by Lower Privileged Users

    XporterXMLWordPrintable

Details

    • XRAYCLOUD 2024 Sprint 10, XRAYCLOUD 2024 Sprint 11

    • OK

    Description

      Summary

      It has been identified that lower privileged users (jira-software-users) are able to access private project environments, which includes URLs, descriptions, and potentially credentials within those URLs, commonly utilized by developers.

      Details

      As a proof of concept, the following image illustrates an environment (PRIVATE-14) in the *Private* Project created by the administrator, which is restricted to Jira's *org-admins*.

      ![screenshot-067_8.png](https://bugcrowd.com/xpandit/submissions/8d3b5d3c-0584-4c9e-b356-3544c5fd18c9/attachments/c020be8a-ed87-4276-8fd2-a25f2d69f005 "screenshot-067_8.png")

      It is noted that the least privileged user (ID: *5d5d89e5c6318a0d6cd6a8ea*) does not have direct access to the private project.

      Furthermore, the images below demonstrate that it was possible to access the private environment using the session token of the user *5d5d89e5c6318a0d6cd6a8ea*:

      ![screenshot-067_7.png](https://bugcrowd.com/xpandit/submissions/8d3b5d3c-0584-4c9e-b356-3544c5fd18c9/attachments/99230df7-1149-425d-ac30-34afeacf9cbc "screenshot-067_7.png")

      Impact

      An attacker, authenticated as a lower-privilege user, can gain access to Private Project Environments. This may include URLs to private or internal servers, URLs and descriptions of Internal APIs, and potentially credentials embedded within those URLs, when utilized within a private project.

      Steps to Reproduce

      *Xray Setup*

      1. Log in as Administrator and install the "XRAY Test Management" plugin on Jira Cloud.
      2. Access a private project, then navigate to *project settings -> Apps -> XRAY Settings*.
      3. Click on *Add Xray issue types*.
      4. Then, navigate to *Test Environments*.
      5. Create a new *Environment* with the URL "http://bugcrowd:poc@internal.reportsd.api".
      6. Save.

      7. In another browser, log in as a user with lower privileges.
      8. Navigate to *Apps -> XRAY*.
      9. In Burp Suite, copy this user's JWT from the Authorization header present in requests sent to `xray.cloud.getxray.app`.
      10. Submit the following request after replacing *{JWT}* with this user's JWT.

      > Increment the project ID in the URL by 1 until match the private project ID

      ```
      GET /api/internal/settings/project/10000/testEnvironments HTTP/1.1
      Host: xray.cloud.getxray.app
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
      Accept: application/json, text/plain, /
      Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
      Accept-Encoding: gzip, deflate, br
      Access-Control-Allow-Origin: *
      X-Acpt: 
      ```

      11. Note that the server returns the complete details of the private project's environments.

      Attachments

        Issue Links

          links to

          Web Link AMS-27673

          Activity

            People

              pablo.pena Pablo Peña
              bernardo.cottim Bernardo Cottim
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: