-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-041 Product: In-App & Desktop Notification for Jira Manufacturer: Infosysta Affected Version(s): 1.6.13_J8 Tested Version(s): 1.6.13_J8 Vulnerability Type: Authentication/Authorization Bypass Risk Level: High Solution Status: Closed Manufacturer Notification: 2019-09-24 Solution Date: 2019-10-01 Public Disclosure: 2019-10-23 CVE Reference: CVE-2019-16906 Author of Advisory: Erik Steltzner, SySS GmbH Luna Krone, SySS GmbH Sascha Heider, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: In-App & Desktop Notification for Jira is a Plug-in that displays email notification from Jira directly within the application. The manufacturer describes the product as follows (see [1]): "In-app & Desktop Notifications for Jira app allows you to get all of Jira's email notifications in front of you. Now you won't have to search through all your emails to check for a specific event in Jira, but all what you need to do is to check the notification section in Jira and see all events that happened in Jira and are related to you. You will also receive instant Desktop notifications as well as you will be able to add comments to the tickets directly from the notification." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: With a Jira user name, the corresponding notifications can be read without authentication/authorization. This notification is then no longer displayed to the normal user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the following path it is possible to see notifications for a specific user: /plugins/servlet/nfj/PushNotification?username= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Before delivering a reply, it should be checked whether a request has the necessary authorization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-09-10: Vulnerability discovered 2019-09-24: Vulnerability reported to manufacturer 2019-10-01: Patch released by manufacturer 2019-10-23: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for In-App & Desktop Notification for Jira https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira [2] SySS Security Advisory SYSS-2019-041 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-041.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Erik Steltzner, Luna Krone and Sascha Heider of SySS GmbH. E-Mail: erik.steltzner@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc Key ID: 0x4C7979CE53163268 Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268 E-Mail: luna.krone@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Luna_Krone.asc Key ID: 0x31764595D77A53F2 Key Fingerprint: C7AF 1259 B763 D588 E8D2 B302 3176 4595 D77A 53F2 E-Mail: sascha.heider@syss.de Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc Key ID: 0x06C4F8D7FCE9AF94 Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEx68SWbdj1Yjo0rMCMXZFldd6U/IFAmeXkhcACgkQMXZFldd6 U/JJlg//dm2AqKywPWhmOGVTNEt2z36v0ZvBp0RBeypqtVlrvn07FElFbzW57C21 2MEepXCOJCC5XVH01yQ9cCEl7Tf323H9751/mjPC+5LEv7AIOfwvhFPVMdEOzpGQ hvIOhCaab4wJdKZOFzupfY8S6xCu8TSTqV9je9Ez+y8yMEE9I9kijA9m7dp/TZ7b IylCFCktQyFImR45sDfVHRd9N7Lrao4qjb7UE+KammW05tMbUJdSPrg1l3znEhLx y4BsDWRWWf70h9F3h+6khmhs5iPK3vyXOTpwuw8EIRTOsi2Lz8O7NaiieG9aHHZ/ enpoK6OBVdy4mUWtnU5evC09XXTxwzbfcO3ok1pj7YUOAAA2GBxWEqUNBvah9muI h1sFpfweuauOu7rmWf2bNvblzV2LsCqE1Dcl9nqXRhoLTePruTKkOvu/0IPgM0E/ 4h4RRLKtRLVJUGQVi7k7SFYpyO2qywxv2ybOmRmyk3pHu1OyH5M9dzWOyR5ysqgm GriSUrfTEbi8D2Wu1T9h6YA9/WHsxULfOb7ZUMMw0WQ+pJUE26jKGmdU383MMwrm gTMQDxCLE2smh+i3poqeSo3XiGjoii419dl74DvIIIKDaJ4cn+ci5oJSEmLeXR+U 1/Fx93rfCD67hs7t92Ah1LpRWANX5T+5OZjavRWb2PxodzRZgwo= =ILfM -----END PGP SIGNATURE-----