Jira Auth Bypass bug in Google Acquisition (Apigee)
I was looking for blogs on GoogleVRP reports as well as noting down it’s popular aquisitions.
Then I found a blog (https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html ) which talks about unauthenticated Jira instance leaking dashboard name ,project title and user profile picture by applying filters.
It also mentions ,the website supports only logging in with @apigee.com email address,So I thought why not try logging in using Google OAUTH. I signed in using my Gmail account and got successfully logged in !!!
Now I visited https://apigeesc.atlassian.net/jira/dashboards?view%3Dpopular ,it was leaking dashboard names and project titles along with user display pictures.
If you visit the link unauthenticated you can’t find these information ,so it’s a Auth Bypass bug I could login to internal Jira instance using OAUTH sign-in using Gmail account.
Now , I didn’t stop here , I ran a nuclei scan against the website with Jira templates.
I found a endpoint through which I can access the same information without authentication. (https://apigeesc.atlassian.net/rest/api/2/dashboard?maxResults=100)
This provided JSON output even for unauthenticated users.
So ,I found a way to access dashboard using authenticated way(OAUTH login) and also unauthenticated way using rest API.
Impact:
1.Attacker is able to find employee details of apigee working in a specific
project/team.
2.Apigee’s new feature or severe bug in project title can be leaked.
3. Moreover when I was authenticated ,I was also able to create private dashboards.
I made a nice report explaining everything and reported to GoogleVRP.
The bug was accepted, rewarded ($xxx) and fixed.
References:
https://hackerone.com/reports/332586
https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html
