[JRASERVER-59980] JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 7.11.0, 7.6.7
Affects Version/s: 7.0.10, 7.1.0, 7.1.2, 7.1.4, 7.1.7, 7.1.9, 7.6.0
Component/s: Webhooks
Labels:

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7
Support reference count:
27
Symptom Severity:
Severity 2 - Major
UIS:
90
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

Security information

The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.

Summary

JQL filter for Webhooks dosn't work correctly when Comment or Worklog related events are fired.

Steps to Reproduce

Create an webhook as follows
- Issue related events
  - JQL: project = <PROJECTKEY>
  - Issue: created, updated
  - Comment: created, updated
  - Worklog: created,updated
Comment or log work on an issue in a project aside from the one which is specified with the JQL

Expected Results

The webhook shouldn't be fired.

Actual Results

The webhook was fired.

Notes

When it comes to NOT "Comment" or "Worklog" related events (like creating issue, updating issue),
the JQL filters the events correctly.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

jql.diff
3 kB
09/Dec/2017 5:33 PM
webhook.png
323 kB
26/Feb/2016 7:25 AM
webhooks.png
27 kB
10/Aug/2016 7:35 AM

is duplicated by

JRASERVER-60721 Webhooks for comments do not respect JQL filter

Closed

JRASERVER-63005 Webhook JQL restriction not working for 'Comment Added' event

Closed

JRASERVER-67663 WebHooks based on "worklog" events do not respect the JQL in place

Closed

is related to

JRASERVER-66134 Return project key in JSON response for comment and worklog related webhook

Gathering Interest

PSR-79 You do not have permission to view this issue

relates to

JRACLOUD-59980 JQL filter for Webhooks doesn't work correctly when "Comment", "Worklog", "Attachment" or "IssueLink" related events are fired

Closed

RAID-785 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(2 relates to, 8 mentioned in)

Ignat (Inactive) added a comment - 15/Oct/2018 7:45 AM

Hello zansm,

The issue is resolved since Jira 7.6.7 and above. We recommending upgrading the instance to address the issue.

Cheers,
Ignat Alexeyenko
Jira bugmaster.

Ignat (Inactive) added a comment - 15/Oct/2018 7:45 AM Hello zansm , The issue is resolved since Jira 7.6.7 and above. We recommending upgrading the instance to address the issue. Cheers, Ignat Alexeyenko Jira bugmaster.

Zans McLachlan added a comment - 12/Oct/2018 4:56 PM - edited

Any updates on this issue? This is causing a ton of spam from "on comment" events across the instance...

We are on 7.4.5 if that helps.

Zans McLachlan added a comment - 12/Oct/2018 4:56 PM - edited Any updates on this issue? This is causing a ton of spam from "on comment" events across the instance... We are on 7.4.5 if that helps.

ΞΔ (Inactive) added a comment - 19/Jul/2018 9:45 AM

iavxhi
Could you tell me if project is at least correctly filtered?
If issue was ever transitioned from progress to done it will be searchable by this query.
"Status" searches by history not by current transition...
Maybe this is the case?

Waiting for your reply.

ΞΔ (Inactive) added a comment - 19/Jul/2018 9:45 AM iavxhi Could you tell me if project is at least correctly filtered? If issue was ever transitioned from progress to done it will be searchable by this query. "Status" searches by history not by current transition... Maybe this is the case? Waiting for your reply.

Irdi Avxhi added a comment - 16/Jul/2018 4:22 PM - edited

I downloaded the Jira locally and i try the following for an updated issue ( Kanban)

It triggers when you change the workflow for each state. so change isn't included in the version that i have downloaded or this case is not fixed 7.11.0-x64.

 project = "projectName" and status CHANGED FROM "In Progress" TO "Done"

Probably i am gonna have to handle it myself by ignoring the post.

Irdi Avxhi added a comment - 16/Jul/2018 4:22 PM - edited I downloaded the Jira locally and i try the following for an updated issue ( Kanban) It triggers when you change the workflow for each state. so change isn't included in the version that i have downloaded or this case is not fixed 7.11.0-x64. project = "projectName" and status CHANGED FROM "In Progress" TO "Done" Probably i am gonna have to handle it myself by ignoring the post.

ΞΔ (Inactive) added a comment - 12/Jun/2018 2:25 PM

Hello,
Comment fix is awaiting release.
Worklog fix is undergoing quality process and will be merged soon.

ΞΔ (Inactive) added a comment - 12/Jun/2018 2:25 PM Hello, Comment fix is awaiting release. Worklog fix is undergoing quality process and will be merged soon.

ΞΔ (Inactive) added a comment - 04/Jun/2018 1:11 PM

Hello,
I'm sorry it took so long, however we had a lot on our side recently.
Currently comment webhook is going to be merged soon.
However worklog hook still needs to be assesed.

ΞΔ (Inactive) added a comment - 04/Jun/2018 1:11 PM Hello, I'm sorry it took so long, however we had a lot on our side recently. Currently comment webhook is going to be merged soon. However worklog hook still needs to be assesed.

Stefano Brillante added a comment - 02/May/2018 9:28 AM

how is this going? we would like to have this fixed sooner or later

Stefano Brillante added a comment - 02/May/2018 9:28 AM how is this going? we would like to have this fixed sooner or later

Aaron Freeman added a comment - 24/Apr/2018 1:43 PM

Do we know the hold up then? It is actually a security vulnerability - or at least we treat it as such.

Aaron Freeman added a comment - 24/Apr/2018 1:43 PM Do we know the hold up then? It is actually a security vulnerability - or at least we treat it as such.

Nathan Neulinger added a comment - 23/Apr/2018 10:42 PM

@David Sumlin - it's worse than that! They've already FIXED IT in their cloud version and aren't including the fix for JIRA Server.

Nathan Neulinger added a comment - 23/Apr/2018 10:42 PM @David Sumlin - it's worse than that! They've already FIXED IT in their cloud version and aren't including the fix for JIRA Server.

David Sumlin added a comment - 23/Apr/2018 10:40 PM

So, let me get this straight. According to Atlassian this is a verified bug, yet over 2 years later, no comment, no ... nothing. And Nathan above is basically telling them what code they need to change.

Come on guys...instead of dumping a bajillion hours into Stride, how about fixing the product that got you the customers in the first place?

David Sumlin added a comment - 23/Apr/2018 10:40 PM So, let me get this straight. According to Atlassian this is a verified bug, yet over 2 years later, no comment, no ... nothing. And Nathan above is basically telling them what code they need to change. Come on guys...instead of dumping a bajillion hours into Stride, how about fixing the product that got you the customers in the first place?

Assignee:: ΞΔ (Inactive)

Reporter:: Yuki Okamoto (Inactive)

Affected customers:: 82 This affects my team

Watchers:: 96 Start watching this issue

Created:: 26/Feb/2016 7:31 AM

Updated:: 14/Aug/2024 6:44 PM

Resolved:: 25/Jun/2018 2:42 PM

Jira Data Center

Details

Description

Security information

Summary

Steps to Reproduce

Expected Results

Actual Results

Notes

Attachments

Attachments

Issue Links

Forms

Activity

[JRASERVER-59980] JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104

Collapse comment: Ignat (Inactive) added a comment - 15/Oct/2018 7:45 AM

Expand comment: Ignat (Inactive) added a comment - 15/Oct/2018 7:45 AM

Collapse comment: Zans McLachlan added a comment - 12/Oct/2018 4:56 PM, Edited by Zans McLachlan - 12/Oct/2018 5:13 PM

Expand comment: Zans McLachlan added a comment - 12/Oct/2018 4:56 PM, Edited by Zans McLachlan - 12/Oct/2018 5:13 PM

Collapse comment: ΞΔ (Inactive) added a comment - 19/Jul/2018 9:45 AM

Expand comment: ΞΔ (Inactive) added a comment - 19/Jul/2018 9:45 AM

Collapse comment: Irdi Avxhi added a comment - 16/Jul/2018 4:22 PM, Edited by Irdi Avxhi - 16/Jul/2018 4:24 PM

Expand comment: Irdi Avxhi added a comment - 16/Jul/2018 4:22 PM, Edited by Irdi Avxhi - 16/Jul/2018 4:24 PM

Collapse comment: ΞΔ (Inactive) added a comment - 12/Jun/2018 2:25 PM

Expand comment: ΞΔ (Inactive) added a comment - 12/Jun/2018 2:25 PM

Collapse comment: ΞΔ (Inactive) added a comment - 04/Jun/2018 1:11 PM

Expand comment: ΞΔ (Inactive) added a comment - 04/Jun/2018 1:11 PM

Collapse comment: Stefano Brillante added a comment - 02/May/2018 9:28 AM

Expand comment: Stefano Brillante added a comment - 02/May/2018 9:28 AM

Collapse comment: Aaron Freeman added a comment - 24/Apr/2018 1:43 PM

Expand comment: Aaron Freeman added a comment - 24/Apr/2018 1:43 PM

Collapse comment: Nathan Neulinger added a comment - 23/Apr/2018 10:42 PM

Expand comment: Nathan Neulinger added a comment - 23/Apr/2018 10:42 PM

Collapse comment: David Sumlin added a comment - 23/Apr/2018 10:40 PM

Expand comment: David Sumlin added a comment - 23/Apr/2018 10:40 PM

People

Dates