-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2022-039
Product: Jira Misc Custom Fields (JMCF)
Manufacturer: Appfire
Affected Version(s): 2.4.6
Tested Version(s): 2.4.6
Vulnerability Type: Stored Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Closed
Manufacturer Notification: 2022-05-27
Solution Date: 2022-06-29
Public Disclosure: 2022-07-07
CVE Reference: CVE-2022-32567
Author of Advisory: Lukas Faiß, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Jira Misc Custom Fields (JMCF) is an add-on for Jira to perform custom
calculations.
The manufacturer describes the product as follows (see [1]):
"JMCF by Appfire lets you easily expose 'hidden' issue information and
create calculations - from simple math operations to sophisticated
Groovy scripts."
Due to insufficient input validation of user-provided input, JMCF is
vulnerable to cross-site scripting (XSS) attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The 'Add Auto Indexing Rule' function is prone to a stored XSS attack.
XSS vulnerabilities allow an attacker to embed malicious JavaScript code
into server replies which is later executed in the browsers of other users.
By executing JavaScript, attackers can, for example, perform actions in
the context of other logged-in users.
For testing purposes, the add-on of the manufacturer[1] was used in
a local Jira Server[4] installation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The combo box project selection within the 'Add Auto Indexing Rule'
function is vulnerable to an XSS attack.
If a project with the name "Pent" is created, it will be loaded via the following request when
loading the projects:
GET /rest/jmcf/1/project/picker?query=&maxResults=1000&showAvatar=true HTTP/2
Host: [REDACTED]
Cookie:
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent:
Sec-Ch-Ua-Platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://[REDACTED]/secure/JMCFEditIndexingRule!Default.jspa?id=
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The response contains the project names. Within this page, the malicious
code is now being executed. Here is a line of the response that contains
the malicious stored project name:
,{
"name":"PentProj (PSOPPPP)",
"key":"PSOPPPP",
"html":"PentProj (PSOPPPP)"
},
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Context-sensitive HTML encoding of project names.
More information:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
Prevention_Cheat_Sheet.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2022-05-12: Vulnerability discovered
2022-05-27: Vulnerability reported to manufacturer
2022-06-29: Patch released by manufacturer
2022-07-07: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Jira Misc Custom Fields (JMCF)
https://marketplace.atlassian.com/apps/27136/jira-misc-custom-fields-jmcf?hosting=server&tab=overview
[2] SySS Security Advisory SYSS-2022-039
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-039.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] Jira Core Server
https://www.atlassian.com/software/jira/core/download
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Lukas Faiß of SySS GmbH.
E-Mail: lukas.faiss@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas_Fai%C3%9F.asc
Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLFP9EACgkQ146uLrc5
Pup4yw//QVBRL7vL1QJBPZKUh3tQDka1+1yjOt/IixC1WoccjwTT6Zv+Pb2C8bEJ
vCeoqQfBGQeVbiqVaMEiora9ijbDZLorDhjK8UIa3nUGzXGSqgiGJoxDHSe3q1Vr
KKOMDqslQP5Zb5CowVtqcNww/ulWm+brr+w6e+sHkc7ibsTPeZaZdh82vqHFs+rb
bxcshi+H5kI+QqzKjyP+d+bKoFRbEiKqYX+SRxgY+dY8nGDN3WPIlHie597Jni/M
8QeEjo6owb4QapF7A9emb0PsxJte3nZNeB0NzeHeW0b990Jczl5a4aRZrqKLUq6b
Qrmq8Fe8dxr7Gz9btSBFOlbv8B+hSyQNsjvolcjr+0G5czDp6vPvFfP2csJX8hb7
+68xqA5SqL1WBMIWnlddJMC1vknQHvnDkHzl45DPWIWFPMSrBDodQ+A0VkeYe+rd
F6jNw2DVXp7Ln2Z2n/OdbhK6+qsLXRB3s6l6sbCsxAI3pvBnNvvq3MjpzBpCvoP4
KvBgu23nucCGGhk3cVWc2iEEcS2aG6FRljiKoYy0+FveyUrB52sTMlD7JttAvgD1
JLJ1df2gDjQ4UOfwaGSl2rQDKWu7M6pxG5jLNvqU1FnQHzlJ8xMaA4K6t3b/oFi8
IKoE7A1LLmkgNpKtqYwFLgVgF+kBro7JYW0NnqXvn92tAXTvQyI=
=ZLwT
-----END PGP SIGNATURE-----