Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-22261: Stored XSS in the Jira issue detail pages (#328389) · Issues · GitLab.org / GitLab · GitLab

A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim’s behalf via malicious Jira API responses

CVE
#xss#vulnerability#web#js#git#java#jira#chrome#firefox

HackerOne report #1132083 by thornguyen on 2021-03-22, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report****Summary

I’ve found a stored XSS vulnerability in the Jira issue detail pages by exploiting Jira integration. Also, I was able to bypass CSP and gain full javascript execution under gitlab.com context.

Steps to reproduce

  1. Create a Mock API that response this payload when there are requests to path /rest/api/2/issue/POC?expand=renderedFields. You can use https://beeceptor.com/ like my POC video.

  2. In a GitLab project that has premium / ultimate license , go to Settings -> Integrations -> Jira:

  • Tick active at the Enable integration section
  • Input any URL at Web URL field
  • Input the mock API created in Step 1 to the Jira API URL field
  • Click Save changes
  1. Now go to https://gitlab.com/[YOUR_ORGANIZATION]/[YOUR_PROJECT]/-/integrations/jira/issues/POC and you will see a popup.

Impact

Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.

Examples

  • [REDACTED] (tested in Chrome and Firefox)

What is the current bug behavior?

GitLab doesn’t sanitize the key field in the JSON response from Jira API so it leads to stored XSS at the Jira issue detail pages.

[REDACTED]

POC Video

![REDACTED]

What is the expected correct behavior?

GitLab should sanitize key field in the JSON response from Jira API before output to browser.

Output of checks

This bug happens on GitLab.com

Impact

Stored-XSS allow attackers to perform arbitrary actions on behalf of victims at client side. And since the JIRA issue detail pages can be made public, this impact a considerable number of GitLab users and visitors.

Attachments

Warning: Attachments received through HackerOne, please exercise caution! [REDACTED]

How To Reproduce

Please add reproducibility information to this section:

Related news

CVE-2021-22261

A stored Cross-Site Scripting vulnerability in the Jira integration in all GitLab versions starting from 13.9 before 14.0.9, all versions starting from 14.1 before 14.1.4, and all versions starting from 14.2 before 14.2.2 allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907