Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-59980

JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      Security information

      The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.

      Summary

      JQL filter for Webhooks dosn't work correctly when Comment or Worklog related events are fired.

      Steps to Reproduce

      1. Create an webhook as follows
        • Issue related events
          • JQL: project = <PROJECTKEY>
          • Issue: created, updated
          • Comment: created, updated
          • Worklog: created,updated
      2. Comment or log work on an issue in a project aside from the one which is specified with the JQL

      Expected Results

      The webhook shouldn't be fired.

      Actual Results

      The webhook was fired.

      Notes

      When it comes to NOT "Comment" or "Worklog" related events (like creating issue, updating issue),
      the JQL filters the events correctly.

        1. jql.diff
          3 kB
        2. webhook.png
          webhook.png
          323 kB
        3. webhooks.png
          webhooks.png
          27 kB

            [JRASERVER-59980] JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104

            Hello zansm,

            The issue is resolved since Jira 7.6.7 and above. We recommending upgrading the instance to address the issue.

            Cheers,
            Ignat Alexeyenko
            Jira bugmaster.

            Ignat (Inactive) added a comment - Hello zansm , The issue is resolved since Jira 7.6.7 and above. We recommending upgrading the instance to address the issue. Cheers, Ignat Alexeyenko Jira bugmaster.

            Zans McLachlan added a comment - - edited

            Any updates on this issue? This is causing a ton of spam from "on comment" events across the instance...

            We are on 7.4.5 if that helps.

            Zans McLachlan added a comment - - edited Any updates on this issue? This is causing a ton of spam from "on comment" events across the instance... We are on 7.4.5 if that helps.

            iavxhi
            Could you tell me if project is at least correctly filtered?
            If issue was ever transitioned from progress to done it will be searchable by this query.
            "Status" searches by history not by current transition...
            Maybe this is the case?

            Waiting for your reply.

            ΞΔ (Inactive) added a comment - iavxhi Could you tell me if project is at least correctly filtered? If issue was ever transitioned from progress to done it will be searchable by this query. "Status" searches by history not by current transition... Maybe this is the case? Waiting for your reply.

            Irdi Avxhi added a comment - - edited

            I downloaded the Jira locally and i try the following for an updated issue ( Kanban)

            It triggers when you change the workflow for each state. so change isn't included in the version that i have downloaded or this case is not fixed 7.11.0-x64.

             project = "projectName" and status CHANGED FROM "In Progress" TO "Done"

             Probably i am gonna have to handle it myself by ignoring the post.

            Irdi Avxhi added a comment - - edited I downloaded the Jira locally and i try the following for an updated issue ( Kanban) It triggers when you change the workflow for each state. so change isn't included in the version that i have downloaded or this case is not fixed 7.11.0-x64. project = "projectName" and status CHANGED FROM "In Progress" TO "Done"  Probably i am gonna have to handle it myself by ignoring the post.

            Hello,
            Comment fix is awaiting release.
            Worklog fix is undergoing quality process and will be merged soon.

            ΞΔ (Inactive) added a comment - Hello, Comment fix is awaiting release. Worklog fix is undergoing quality process and will be merged soon.

            Hello,
            I'm sorry it took so long, however we had a lot on our side recently.
            Currently comment webhook is going to be merged soon.
            However worklog hook still needs to be assesed.

            ΞΔ (Inactive) added a comment - Hello, I'm sorry it took so long, however we had a lot on our side recently. Currently comment webhook is going to be merged soon. However worklog hook still needs to be assesed.

            how is this going? we would like to have this fixed sooner or later  

            Stefano Brillante added a comment - how is this going? we would like to have this fixed sooner or later  

            Do we know the hold up then? It is actually a security vulnerability - or at least we treat it as such.

            Aaron Freeman added a comment - Do we know the hold up then? It is actually a security vulnerability - or at least we treat it as such.

            @David Sumlin - it's worse than that! They've already FIXED IT in their cloud version and aren't including the fix for JIRA Server.

            Nathan Neulinger added a comment - @David Sumlin - it's worse than that! They've already FIXED IT in their cloud version and aren't including the fix for JIRA Server.

            So, let me get this straight.  According to Atlassian this is a verified bug, yet over 2 years later, no comment, no ... nothing.  And Nathan above is basically telling them what code they need to change.

            Come on guys...instead of dumping a bajillion hours into Stride, how about fixing the product that got you the customers in the first place?

            David Sumlin added a comment - So, let me get this straight.  According to Atlassian this is a verified bug, yet over 2 years later, no comment, no ... nothing.  And Nathan above is basically telling them what code they need to change. Come on guys...instead of dumping a bajillion hours into Stride, how about fixing the product that got you the customers in the first place?

              psuwala ΞΔ (Inactive)
              yokamoto Yuki Okamoto (Inactive)
              Affected customers:
              82 This affects my team
              Watchers:
              96 Start watching this issue

                Created:
                Updated:
                Resolved: