-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
3.6.2
-
Severity 3 - Minor
-
Please be aware that Atlassian does not consider this issue to represent a security risk as the functionality is restricted to users with administrative rights.
Issue Summary
When adding a Jira server in Bamboo under the "User directories" module, an attacker can put any value in the "Server URL" field and the response from the server is returned to the client. Yes, it's true that if an attacker already had admin on a Bamboo instance, they can do a whole lot more damaging things, but this effectively allows them to scan the internal network that the Bamboo instance is sitting on and determine what other endpoints they can exploit. This vulnerability is especially useful if an attacker does not have a shell on the host and has just popped the Bamboo we app.
Steps to Reproduce
- Login to Admin user
- Navigate to Bamboo administration (11.png)
- Click on User directories (22.png)
- Click on Add Directory (33.png)
- Select Directory type to JIRA (44.png)
- Enter Server URL as http://127.0.0.1:8000 (55.png)
- Click on test settings (66.png)
- Observe the request to server (77.png)
- Message for open port 80 (88.png)
- Message for non http open port (92.png)
- Message for Closed port (94.png)
- is caused by
-
BOUNTY-2345 Failed to load
[CWD-5522] SSRF when adding Jira server in admin plugin
CVSS v3 score: 4.9 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | None |
| Availability | None |
See http://go.atlassian.com/cvss for more details.
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Apologies team. There was a miscommunication on the security team and we're going to close this out since it requires admin privileges. Thanks!