Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26255: CVEs/CVE-2023-26255.md at main · 1nters3ct/CVEs

An unauthenticated path traversal vulnerability affects the “STAGIL Navigation for Jira - Menu & Themes” plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.

CVE
#vulnerability#web#linux#auth#jira#firefox

Overview

Stagil navigation for jira – Menù & Themes" is a Jira GUI customization plugin that allows, among other things, to insert a custom image as a header and/or footer. This plugin was developed by Stagil, an independent company that is a Silver Solution Partner and focuses on designing efficient and durable plugin solutions for the Jira environment.

Vulnerability Description

Prior to version 2.0.52 of the “Stagil navigation for jira – Menù & Themes", the fileName parameter is vulnerable to a "Directory Traversal" that would allow an attacker to read files on the server knowing their path.

Directory Traversal is a vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application data, credentials for back-end systems, and sensitive operating system files.

The CVE Program has assigned the ID CVE-2023-20255 to this issue. This is a record on the CVE List, which standardizes names for security problems:

CVE ID: CVE-2023-26255 --> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26255

Impacts

This vulnerability allows an attacker to take files on the server and download them locally. Configuration files containing plaintext passwords can also be retrieved, as well as application logs to conduct analysis on users browsing the site.

CVE-2023-26255 - Directory Traversal****Proof of concept (POC)****Reproducing Steps

First you need to have the “Stagil navigation for jira – Menù & Themes v2.0.50” plugin installed, which can be downloaded from the atlassian marketplace.

You can check your "Menù & Themes" version in admin panel:

Once you have customized the Jira GUI and added a new image as the navigation bar background, you can exploit the vulnerability in question.

Once the image has been loaded whenever you navigate a project menu an HTTP GET request is made that invokes that image.

This request use two paramenters: “fileName” and “fileMime”, the former being vulnerable to Path Traversal since no type of check is done on the content of this parameter.

In fact, it is possible to insert a payload, consisting of the path we want to retrieve, inside "fileName" to get the contents of the retrieved file as the following images show:

GET /plugins/servlet/snjCustomDesignConfig?fileName=../../../../etc/passwd&fileMime=$textMime  HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin

Moreover, this request can be made even without being authenticated, in fact in the next evidence the request is made without session cookies:

Suggestions

To make the fix for this vulnerability, it is recommended to update the plugin to version 2.0.52 where this issue is no longer present.

Discovered by****Alessandro Fondacci of Cybertech S.p.A.

Related news

CVE-2023-20255: Cisco Security Advisory: Cisco Meeting Server Web Bridge Denial of Service Vulnerability

A vulnerability in an API of the Web Bridge feature of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause a partial availability condition, which could cause ongoing video calls to be dropped due to the invalid packets reaching the Web Bridge.

CVE-2023-33754: CVEs/CVE-2023-33754.md at main · Alkatraz97/CVEs

The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907