Skip to content

Arbitrary GFM references rendered in Jira issue description leak private/confidential resources

HackerOne report #1653149 by yvvdwf on 2022-07-28, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Hi,

Gitlab allows integrating Jira issues whose descriptions are rendered using GFM. However the descriptions are not redacted. Consequently the priviate/confidential information are leaked to unauthorized users.

This report is basically the same as the previous report. They are the same model of exploitation but their root causes are different. Indeed the Jira descriptions are managed by JiraGfmPipeline pipeline.

Steps to reproduce:

Requirements:

  • access to a premium subscription (no problem on GitLab.com as there are free trials, they work great for the attack)
  • a Jira server. I used a cloud Jira instance on atlassian.com

As a normal user (victim):

  • create a private project, let's call victim/project-a, then create a confidential issue inside. It's GFM reference is now victim/project-a#1

As an attacker which has a premium subscription (e.g., via free trials):

  • In an existing project or create a new one
  • Go to Settings/Integrations and select Jira. Follow the guide to fill the form to enable viewing Jira issues in the project.
  • Login Jira, create an issue on the dashboard by fillting victim/project-a#1 into the Description textbox.
  • Go back to Gitlab web to view the issue you've created, .e.g., in Issues/Jira issues then select the issue
  • Right click on the link of victim/project-a#1 to view its source code. You should see the title of the issue created by the victim.
  • Below is an example when I used gitlab-org/gitlab#363725 as payload which is used to track one of my H1 reports.

jira-pipeline.png

Impact

This vulnerability allows to renders all GFM references, such as, merged requests, issues, etc, even if they are private or confidential.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Best regards,
yvvdwf

Impact

This vulnerability allows attacker to access to all private or confidential GFM references, such as, merged requests, issues, etc.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Impact

This vulnerability allows attacker to access to all private or confidential GFM references, such as, merged requests, issues, etc.

For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: