Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to Horizontal Privilege Elevation attacks.

Case 1:

Case 1, enables enables for an attacker to view the key ID from issues within a project to whom he has not been assigned to by fuzzing the subsequent URL:

[jira domain]/jira/rest/api/1.0/issues/32418/ActionsAndOperations?atl_token=A816-FTT5-H1WF-I743|e7960e65d3997cd8aebe3cabd0bfa3f71148069f|lin&_=1306849784317

To ilustrate in a more detailed manner, the first image outlined below describes the only project to whom the user is assigned to — because of privacy concerns the name of our clients will appear blurred.

However, the issue page contains a gear-like image (shown below) which spawns the aforementioned URL when clicked. As can be seen in the next image:

By clicking this gear-like image, the subsequent request is generated:

By using a fuzzing tool, the number 32418 — generated by the request — can be iterated to reveal other issue key ID's, including ones outside the project this user has been assigned to. As can be seen below:

Disclaimer: The key ID value in our JIRA instance, represents clients/company names and cannot, in any way, leak. On the other hand, the issue key ID can be used to jumpstart other attacks. We would like to strongly state that, independently of our method of usage, we consider this an inadequate and dangerous behavior since, it enables for JIRA users to access information regarding other clients/projects, aside the ones that have been assigned to the user in question.

Case 2:

Case 2 provides for an even more dangerous scenario because this vulnerability can be exploited without the necessity for authentication.

Throughout the tests performed within JIRA, the subsequent URL was noticed:

[jira domain]/jira/secure/AttachScreenshot!default.jspa?id=37772

After requesting the aforementioned URL, a response is delivered, and part of the code within this response is presented below:

var parameters = {
scriptable:"false",post:"AttachScreenshot.jspa?secureToken=",
issue:39981,
screenshotname:"screenshot-1",
after:"/jira/browse/[CLIENT]-2150",
encoding:"UTF-8",
useragent: jQuery("#user-agent").text(),

The "after:" line contains an issue key ID, which reveals the name of a client (issue key ID's are named after client names within our JIRA instance). By extracting that line using a fuzzing tool, this attack provided the possibility for harvesting many more issues, which in case, revealed the name of many more clients.

The following image presents this behavior:

It is important to mention that, this user has only access to the first client appearing throughout the harvest. And as a result of this attack, many more clients were harvested.

Disclaimer: the key ID value in our JIRA instance, represents clients/company names and cannot, in any way, leak. On the other hand, the issue key ID can be used to jumpstart other attacks. We would like to strongly state that, independently of our method of usage, we consider this an inadequate and dangerous behavior since, it enables for JIRA users to access information regarding other clients/projects, aside the ones that have been assigned to the user in question.