Headline
CVE-2022-32567
The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-039 Product: Jira Misc Custom Fields (JMCF) Manufacturer: Appfire Affected Version(s): 2.4.6 Tested Version(s): 2.4.6 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2022-05-27 Solution Date: 2022-06-29 Public Disclosure: 2022-07-07 CVE Reference: CVE-2022-32567 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Jira Misc Custom Fields (JMCF) is an add-on for Jira to perform custom calculations. The manufacturer describes the product as follows (see [1]): “JMCF by Appfire lets you easily expose ‘hidden’ issue information and create calculations - from simple math operations to sophisticated Groovy scripts.” Due to insufficient input validation of user-provided input, JMCF is vulnerable to cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The ‘Add Auto Indexing Rule’ function is prone to a stored XSS attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer[1] was used in a local Jira Server[4] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The combo box project selection within the ‘Add Auto Indexing Rule’ function is vulnerable to an XSS attack. If a project with the name “Pent” is created, it will be loaded via the following request when loading the projects: GET /rest/jmcf/1/project/picker?query=&maxResults=1000&showAvatar=true HTTP/2 Host: [REDACTED] Cookie: Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", “Google Chrome";v="101” Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: “Linux” Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://[REDACTED]/secure/JMCFEditIndexingRule!Default.jspa?id= Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 The response contains the project names. Within this page, the malicious code is now being executed. Here is a line of the response that contains the malicious stored project name: ,{ "name":"PentProj (PSOPPPP)", "key":"PSOPPPP", "html":"PentProj (PSOPPPP)" }, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of project names. More information: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_ Prevention_Cheat_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-12: Vulnerability discovered 2022-05-27: Vulnerability reported to manufacturer 2022-06-29: Patch released by manufacturer 2022-07-07: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Jira Misc Custom Fields (JMCF) https://marketplace.atlassian.com/apps/27136/jira-misc-custom-fields-jmcf?hosting=server&tab=overview [2] SySS Security Advisory SYSS-2022-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-039.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Jira Core Server https://www.atlassian.com/software/jira/core/download ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Lukas Faiß of SySS GmbH. E-Mail: [email protected] Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas_Fai%C3%9F.asc Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLFP9EACgkQ146uLrc5 Pup4yw//QVBRL7vL1QJBPZKUh3tQDka1+1yjOt/IixC1WoccjwTT6Zv+Pb2C8bEJ vCeoqQfBGQeVbiqVaMEiora9ijbDZLorDhjK8UIa3nUGzXGSqgiGJoxDHSe3q1Vr KKOMDqslQP5Zb5CowVtqcNww/ulWm+brr+w6e+sHkc7ibsTPeZaZdh82vqHFs+rb bxcshi+H5kI+QqzKjyP+d+bKoFRbEiKqYX+SRxgY+dY8nGDN3WPIlHie597Jni/M 8QeEjo6owb4QapF7A9emb0PsxJte3nZNeB0NzeHeW0b990Jczl5a4aRZrqKLUq6b Qrmq8Fe8dxr7Gz9btSBFOlbv8B+hSyQNsjvolcjr+0G5czDp6vPvFfP2csJX8hb7 +68xqA5SqL1WBMIWnlddJMC1vknQHvnDkHzl45DPWIWFPMSrBDodQ+A0VkeYe+rd F6jNw2DVXp7Ln2Z2n/OdbhK6+qsLXRB3s6l6sbCsxAI3pvBnNvvq3MjpzBpCvoP4 KvBgu23nucCGGhk3cVWc2iEEcS2aG6FRljiKoYy0+FveyUrB52sTMlD7JttAvgD1 JLJ1df2gDjQ4UOfwaGSl2rQDKWu7M6pxG5jLNvqU1FnQHzlJ8xMaA4K6t3b/oFi8 IKoE7A1LLmkgNpKtqYwFLgVgF+kBro7JYW0NnqXvn92tAXTvQyI= =ZLwT -----END PGP SIGNATURE-----