Exploitalert - Database of Exploits

Infosysta Jira 1.6.13_J8 User Name Disclosure

CVE	Category	Price	Severity
CVE-2019-16907	CWE-200	Unknown	Unknown

Author	Risk	Exploitation Type	Date
Unknown	Unknown	Remote	2019-10-29

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2019100180

Infosysta Jira 1.6.13_J8 User Name Disclosure

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2019-043 Product: In-App & Desktop Notification for Jira Manufacturer: Infosysta Affected Version(s): 1.6.13_J8 Tested Version(s): 1.6.13_J8 Vulnerability Type: Authentication/Authorization Bypass Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2019-09-24 Solution Date: 2019-10-01 Public Disclosure: 2019-10-23 CVE Reference: CVE-2019-16907 Author of Advisory: Erik Steltzner, SySS GmbH Fabian Krone, SySS GmbH Sascha Heider, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: In-App & Desktop Notification for Jira is a Plug-in that displays email notification from Jira directly within the application. The manufacturer describes the product as follows (see [1]): "In-app & Desktop Notifications for Jira app allows you to get all of Jira's email notifications in front of you. Now you won't have to search through all your emails to check for a specific event in Jira, but all what you need to do is to check the notification section in Jira and see all events that happened in Jira and are related to you. You will also receive instant Desktop notifications as well as you will be able to add comments to the tickets directly from the notification." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It is possible to read out all user names within Jira without authentication/authorization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the following path it is possible to list all existing user names: /plugins/servlet/nfj/UserFilter?searchQuery=@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Before delivering a reply, it should be checked whether a request has the necessary authorization. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-09-10: Vulnerability discovered 2019-09-24: Vulnerability reported to manufacturer 2019-10-01: Patch released by manufacturer 2019-10-23: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for In-App & Desktop Notification for Jira https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira [2] SySS Security Advisory SYSS-2019-043 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-043.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Erik Steltzner, Fabian Krone and Sascha Heider of SySS GmbH. E-Mail: [email protected] Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc Key ID: 0x4C7979CE53163268 Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268 E-Mail: [email protected] Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc Key ID: 0xBFDF30ABD10EA0F4 Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4 E-Mail: [email protected] Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc Key ID: 0x06C4F8D7FCE9AF94 Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl2wTyYACgkQTHl5zlMW MmhNtg/+NAuoLbSdHSow25HiVL4eFstwd2Bnh4CWGba2/E0YNZ3DzD8/6cSCzr9s 5pOU9fTz3lyZHWh7r2Jg8IutTaPk3AHC6qHx8hvACqhqnpHhfejCHtqc6ROK2VRT 1vGCp3j7EqDN52e7lQZaDmNxAnhNu7CeCIKHIdzKnEkg4owlEI5JYwzwF8YogTqF keiQjd/eVw9o2NFjy+b1+q2/UuAeuRZ1Rd/YZ8RyvLuG/lsT2oOCdikXnWN/AIDm q8rQe8uiVoA9fjixsNWHCW6PcnwPtMwu3K/pFLmzh7n482J/VIzjBfngnnRgrHCG /UvwUGG/UgXxiWUKbEoVrA3TeOfTybOWQ3+SHKyZdUBUmoIJBzZq5CdJRJMpne5U 0iY1qbFwZL5XVIhgfN16W3OOMp4cUk3mbT9OWTRg2S13pZpllONjM4E5+cIGpjwX gTH7FzEVT8ywLEWN+m1ISA4LDCK9mXS+LM8s/RLLRcDibBaUdqCyb8UTxnVcaFtk syO+dTMtIJNymvM+hpkRadMuKxaL5Rm7SOfjrpA7aQORlwFxM2NGrmNQcos7jUQL Z2M8sinSq/Ht+SPbIwnxzE+z1Ve6xFBNgnT1PWu5MPOOCkM6Qo9f22EhVjTVS6Td /BTiVKZPEG58O5oN8Oq8r3w6LX2i9wmUBAqAyGBFCMkQ5JLKA/U= =mNrG -----END PGP SIGNATURE-----

Impressum