**NOTE** The main concern described in this issue is related to the fact that "Basic" (non-admin) users in Jira can Remove/Add namespaces by directly accessing `<jira_cloud_namespace>.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration`. At this time I do not believe there is any security concern with the JWT itself, even though it is mentioned in the report. There does not appear to be any links in the UI for "BASIC" (non-admin) Jira users to access this page, but when manually entered it is shown. As the HackerOne reporter describes in [this comment](https://gitlab.com/gitlab-org/gitlab/-/issues/327062#note_546133684), it appears that GitLab needs to verify the permissions in the JWT to decide whether or not to grant access to this page. As per [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/9641#list-namespaces-that-are-linked), I believe we intended only Jira admins to be able to add/remove these namespaces: >When viewing this page, it is not necessary to be logged in to GitLab. We show the data here based on the JWT token generated by Jira which ensures that the user making the request here is an admin of the Jira account. **[HackerOne report #1147812](https://hackerone.com/reports/1147812)** by `updatelap` on 2021-04-03, assigned to @ankelly: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report __Note:__ Hey Gitlab Sec Team, I contacted your GitLab Support team about your Jira app [GitLab.com for Jira Cloud](https://marketplace.atlassian.com/apps/1221011/gitlab-com-for-jira-cloud?hosting=cloud&tab=overview) . And they told me that the app is eligible for reporting and reward #### Summary: GitLab provides an application tool [GitLab.com for Jira Cloud](https://marketplace.atlassian.com/apps/1221011/gitlab-com-for-jira-cloud?hosting=cloud&tab=overview), an application that allows customers to managed Jira issues at Jira instance from GitLab.com. After testing the integration feature in the application, it was found that the application leads to the leakage of the `JWT` to unauthorized users. ##### _About Jira:_ Jira Cloud allows the system administrator to add users with different Roles such as "__Basic, Trusted, and Site administrator__" with the highest authority being "__Site administrator__" and least "__Basic__". Based on these Roles allows: 1. The administrator can fully manage the account by accessing all projects, issues, dashboards and __configuring applications.__ 2. Access to specific projects or issues. It is not possible to access to __configure applications__ or to change any of the account settings. ### Description: As we mentioned earlier, the __GitLab.com for Jira Cloud__, after installing It allows an administrator to link their GitLab.com account with Atlassian Jira Cloud. So, after Setup, Jira __admin__ is allowed to go `https://YOUDOMIN.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration` When going to this page admin can `Linked Gitlab namespaces` with Jira cloud. [REDACTED] When you click on "__Add namespaces__", You can add namespaces and groups to the Jira cloud. So. Based on the __About Jira description__, an employee with "`BSSIC`" privileges is not allowed to access the application configuration. After testing if the `GitLab for Jira Cloud` app checks the permissions of Jira users before providing the user with the `JWT`, it is found that the `GitLab for Jira Cloud` application does not verify the user's permissions and generates the JWT code for a user with `Basic privileges`. This allows this malicious user to link their namespaces or group to Jira instance that they do not own and can remove namespaces or group added by System admin. In addition, Gitlab allows users to create private namespaces and groups on Gitlab and then link them to the Jira instance. So this will reveal these namespaces and private groups The normal or expected behavior that the tool should work with is to verify the role of the user who requests the configuration page, and if he does not have the privilege to display the page, a message similar to this should appear. [REDACTED] #### Steps To Reproduce 1. Go to Jira cloud and create Jira instance. 2. Add user with `Basic` roles. 1. The administrator create project and restricted to this project for admin only. [REDACTED] 3 Admin Install [GitLab.com for Jira Cloud](https://marketplace.atlassian.com/apps/1221011/gitlab-com-for-jira-cloud?hosting=cloud&tab=overview) app. 4.Admin go to `https://YOUDOMIN.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration` and login with your Gitlab account. 5.Admin click in Add namespace and Link namespace and group to Jira cloud. 6.User Go to `{BaseUrl}/plugins/servlet/ac/gitlab-jira-connect-gitlab.com/gitlab-configuration` [REDACTED] #### Impact 1. First. An unauthorized employee can access the application configuration page and reveal these namespaces and private groups 2. The server grants a JWT token to the Basic user, allowing it to remove namespaces and groups. [REDACTED] 3.It allows the user to link his Gitlab account to the jira instance and add his namespaces and groups to an instance that he does not own ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! [REDACTED] ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues