Last October I dived into the world of Jira Software (version 8.4.1) in the hope of discovering new vulnerabilities. Initially, I came across a few Cross-Site Request Forgery (CSRF) weaknesses, leading me to a vulnerability that allows a user to instruct the Jira server to initiate connections to other hosts of my choice. This CSRF vulnerability (CVE-2019-20099) affects Atlassian Jira Server and Data Center versions 8.2.4 prior to 8.7.0 and can be leveraged to perform a host discovery scan of networks visible to an affected Jira server.

This blog details the discovery of this issue and includes a host discovery proof of concept.

Jira defenses for Cross-Site Request Forgeries

CSRF attacks can target vulnerable websites by reusing cookies stored in the browser of a legitimate logged-in user to impersonate their identity and perform some malicious actions without their knowledge.

To defend against these attacks, the Jira server sets CSRF tokens in an HttpOnly cookie on its clients. Then for requests that perform state changing operations, the server checks if the token is set in the CSRF cookie as well as in a CSRF parameter. This makes it hard for an attacker to reuse cookies for impersonating legitimate users. Further, the Referer header is validated against the server domain and port number to prevent same origin policy violations.

The above is an example of a POST request that sets an issue’s type to bug. The CSRF cookie and the CSRF parameter are named Atlassian.xsrf.token and atl_token. The Referer header gets validated by checking if its value commences with the Jira Server’s IP address and port number.

While testing various requests, I discovered that Jira doesn’t always validate these values.

The Bug

Setting up an outgoing POP3 mail server in Jira requires a system administrator to complete and submit a form with the relevant mail server details, such as the server name, host address, port number, user credentials and so forth. At the bottom of the form there are two buttons, one for requesting to set up a new mail server and the other for testing the mail server connection.