Security auditing tests performed on a Jira Bug Issue and Project Tracking Software locally running instance shown that the application is succeptible to horizontal privilege elevation attacks within the Resolve Issue feature, accessible through the given address:

• [jira/secure/WorkflowUIDispatcher.jspa?id=61449&action=5&atl_token=A816-FTT5-H1WF-I743|988d36060a652b393a97ec6b1c30d41204c86909|lin]

The vulnerability enables for a user to view the ISSUEKEY and TITLE of issues within projects he/she does not have permission to access.

When resolving an issue, the following window appears:

When the resolve button is clicked, the following request is generated:

By incrementing the ID number in the aforementioned request, the user can access/view information within projects he doesn't have access to. The following image describes this scenario:

An important thing to mention is that in this case, not only the ISSUEKEY can be seen, but also, the TITLE of the issue is being leaked. Specifically in our case this becomes a significant problem, since the title of our issues eventually contain information such as:

• Server providing sensitive information through SNMP;
• Possible mySQL sweep;
• Server with deprecated version of Apache Tomcat;
• Microsoft IIS Internal IP Address Disclosure Vulnerability;
• PHPMyAdmin accessible without the need for authentication.

This information can be associated with the ISSUEKEY to point out the client. In other words, an attacker may be able to acknowledge the VULNERABILITY of a CLIENT within Jira — which is our front-end for communicating with the user regarding their vulnerabilities.