Severity of authenticated flaw heightened by abuse of Jira Service Desk signup facility

Atlassian patches full-read SSRF in Jira

Jira, Atlassian’s popular issue tracking and project management software, was vulnerable to a server-side request forgery (SSRF) flaw that researchers were able to abuse without obtaining credentials.

“There are multiple ways to create user accounts on Jira in order to exploit this issue depending on the configuration of the Jira instance,” said Assetnote CTO and founder Shubham Shah in a blog post.

This included abusing Jira Service Desk’s Signups function, which is often enabled for the purpose of providing a self-service mechanism.

“We were able to successfully exploit this post-authentication vulnerability by first registering on Jira Service Desk, and then using that account to access the Jira Core REST APIs,” said Shah.

Variable impact

Tracked as CVE-2022-26135, the ‘high severity’, full-read SSRF resided in Jira Server Core, “which allows attackers to make requests to arbitrary URLs, with any HTTP method, headers and body”, said Shah.

The issue affects the batch HTTP endpoint used in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management.

“It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint,” according to a security advisory from Atlassian.

“Depending on the environment the Jira instance is deployed in, the impact of this bug varies,” it continued. “For example, when deployed in AWS, it could leak sensitive credentials.”

RELATED Incoming! Atlassian Confluence attacks prompt calls for rapid patching

A proof-of-concept exploit fashioned by Assetnote researchers attempts to register an account on Jira Core or Jira Service Desk and then automatically exploits the SSRF vulnerability.

The flaw was reported to Atlassian’s security team on April 21 and patches landed on June 29.

All prior versions of Jira and Jira Service Management are affected by the vulnerability.

Lessons for researchers

The researchers found the SSRF after reverse engineering patches for an authentication bypass vulnerability in Seraph disclosed in April 2022, which also affected Mobile Plugin for Jira.

“Assessing vendor advisories, patches and reverse engineering the affected components can sometimes lead to the discovery of new vulnerabilities,” observed Shah.

He also advised other researchers that “even when it is not possible to bypass authentication through vulnerabilities, consider the full context of the application and its functionalities to determine alternative methods to exploit the issues that were discovered in the post-authentication attack surface”.

DON’T MISS CWE Top 25: These are the most dangerous software weaknesses of 2022