Arbitrary GFM references rendered in Jira issue description leak private/confidential resources
HackerOne report #1653149 by yvvdwf
on 2022-07-28, assigned to @ngeorge1:
Report | Attachments | How To Reproduce
Report
Hi,
Gitlab allows integrating Jira issues whose descriptions are rendered using GFM. However the descriptions are not redacted. Consequently the priviate/confidential information are leaked to unauthorized users.
This report is basically the same as the previous report. They are the same model of exploitation but their root causes are different. Indeed the Jira descriptions are managed by JiraGfmPipeline
pipeline.
Steps to reproduce:
Requirements:
- access to a premium subscription (no problem on GitLab.com as there are free trials, they work great for the attack)
- a Jira server. I used a cloud Jira instance on atlassian.com
As a normal user (victim):
- create a private project, let's call
victim/project-a
, then create a confidential issue inside. It's GFM reference is nowvictim/project-a#1
As an attacker which has a premium subscription (e.g., via free trials):
- In an existing project or create a new one
- Go to
Settings/Integrations
and selectJira
. Follow the guide to fill the form to enable viewing Jira issues in the project. - Login Jira, create an issue on the dashboard by fillting
victim/project-a#1
into theDescription
textbox. - Go back to Gitlab web to view the issue you've created, .e.g., in
Issues/Jira issues
then select the issue - Right click on the link of
victim/project-a#1
to view its source code. You should see the title of the issue created by the victim. - Below is an example when I used
gitlab-org/gitlab#363725
as payload which is used to track one of my H1 reports.
Impact
This vulnerability allows to renders all GFM references, such as, merged requests, issues, etc, even if they are private or confidential.
For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab
project, and thus leaking their titles.
Best regards,
yvvdwf
Impact
This vulnerability allows attacker to access to all private or confidential GFM references, such as, merged requests, issues, etc.
For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab
project, and thus leaking their titles.
Impact
This vulnerability allows attacker to access to all private or confidential GFM references, such as, merged requests, issues, etc.
For example, attackers can simply scan through all issue numbers (starting from 1) of the gitlab-org/gitlab
project, and thus leaking their titles.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: