Headline
CVE-2021-22261: Stored XSS in the Jira issue detail pages (#328389) · Issues · GitLab.org / GitLab · GitLab
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim’s behalf via malicious Jira API responses
HackerOne report #1132083 by thornguyen on 2021-03-22, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report****Summary
I’ve found a stored XSS vulnerability in the Jira issue detail pages by exploiting Jira integration. Also, I was able to bypass CSP and gain full javascript execution under gitlab.com context.
Steps to reproduce
Create a Mock API that response this payload when there are requests to path /rest/api/2/issue/POC?expand=renderedFields. You can use https://beeceptor.com/ like my POC video.
In a GitLab project that has premium / ultimate license , go to Settings -> Integrations -> Jira:
- Tick active at the Enable integration section
- Input any URL at Web URL field
- Input the mock API created in Step 1 to the Jira API URL field
- Click Save changes
- Now go to https://gitlab.com/[YOUR_ORGANIZATION]/[YOUR_PROJECT]/-/integrations/jira/issues/POC and you will see a popup.
Impact
Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.
Examples
- [REDACTED] (tested in Chrome and Firefox)
What is the current bug behavior?
GitLab doesn’t sanitize the key field in the JSON response from Jira API so it leads to stored XSS at the Jira issue detail pages.
[REDACTED]
POC Video
![REDACTED]
What is the expected correct behavior?
GitLab should sanitize key field in the JSON response from Jira API before output to browser.
Output of checks
This bug happens on GitLab.com
Impact
Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.
Attachments
Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]
How To Reproduce
Please add reproducibility information to this section:
Related news
A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses