"Basic" Jira users can Add/Remove Jira Connect Namespaces
NOTE The main concern described in this issue is related to the fact that "Basic" (non-admin) users in Jira can Remove/Add namespaces by directly accessing <jira_cloud_namespace>.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration
. At this time I do not believe there is any security concern with the JWT itself, even though it is mentioned in the report.
There does not appear to be any links in the UI for "BASIC" (non-admin) Jira users to access this page, but when manually entered it is shown. As the HackerOne reporter describes in this comment, it appears that GitLab needs to verify the permissions in the JWT to decide whether or not to grant access to this page. As per this issue, I believe we intended only Jira admins to be able to add/remove these namespaces:
When viewing this page, it is not necessary to be logged in to GitLab. We show the data here based on the JWT token generated by Jira which ensures that the user making the request here is an admin of the Jira account.
HackerOne report #1147812 by updatelap
on 2021-04-03, assigned to @ankelly:
Report | Attachments | How To Reproduce
Report
Note:
Hey Gitlab Sec Team,
I contacted your GitLab Support team about your Jira app GitLab.com for Jira Cloud . And they told me that the app is eligible for reporting and reward
Summary:
GitLab provides an application tool GitLab.com for Jira Cloud, an application that allows customers to managed Jira issues at Jira instance from GitLab.com. After testing the integration feature in the application, it was found that the application leads to the leakage of the JWT
to unauthorized users.
About Jira:
Jira Cloud allows the system administrator to add users with different Roles such as "Basic, Trusted, and Site administrator" with the highest authority being "Site administrator" and least "Basic". Based on these Roles allows:
- The administrator can fully manage the account by accessing all projects, issues, dashboards and configuring applications.
- Access to specific projects or issues. It is not possible to access to configure applications or to change any of the account settings.
Description:
As we mentioned earlier, the GitLab.com for Jira Cloud, after installing It allows an administrator to link their GitLab.com account with Atlassian Jira Cloud. So, after Setup, Jira admin is allowed to go https://YOUDOMIN.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration
When going to this page admin can Linked Gitlab namespaces
with Jira cloud.
[REDACTED]
When you click on "Add namespaces", You can add namespaces and groups to the Jira cloud. So. Based on the About Jira description, an employee with "BSSIC
" privileges is not allowed to access the application configuration. After testing if the GitLab for Jira Cloud
app checks the permissions of Jira users before providing the user with the JWT
, it is found that the GitLab for Jira Cloud
application does not verify the user's permissions and generates the JWT code for a user with Basic privileges
. This allows this malicious user to link their namespaces or group to Jira instance that they do not own and can remove namespaces or group added by System admin. In addition, Gitlab allows users to create private namespaces and groups on Gitlab and then link them to the Jira instance. So this will reveal these namespaces and private groups
The normal or expected behavior that the tool should work with is to verify the role of the user who requests the configuration page, and if he does not have the privilege to display the page, a message similar to this should appear.
[REDACTED]
Steps To Reproduce
- Go to Jira cloud and create Jira instance.
- Add user with
Basic
roles. - The administrator create project and restricted to this project for admin only.
[REDACTED]
3 Admin Install GitLab.com for Jira Cloud app.
4.Admin go to https://YOUDOMIN.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration
and login with your Gitlab account.
5.Admin click in Add namespace and Link namespace and group to Jira cloud.
6.User Go to {BaseUrl}/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration
[REDACTED]
Impact
- First. An unauthorized employee can access the application configuration page and reveal these namespaces and private groups
- The server grants a JWT token to the Basic user, allowing it to remove namespaces and groups.
[REDACTED] 3.It allows the user to link his Gitlab account to the jira instance and add his namespaces and groups to an instance that he does not own
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]
How To Reproduce
Please add reproducibility information to this section: