๐ HackerOne: HackerOne Jira integration plugin Leaked JWT to unauthorized jira users
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: HackerOne provides an application tool HackerOne for Jira, an application that allows programs to track security issues through a jira instance. After testing the integration feature in the application, it was found that the application leads to the leakage of the JWT to unauthorized users. About jira: Jira Cloud allows the system administrator to add users with different Roles such as "Basic, Trusted, and Site administrator" with the highest authority being "Site administrator" and least "Basic". Based on these Roles allows: The administrator can fully manage the account by accessing all projects, issues, dashboards and configuring applications. Access to specific projects or issues. It is not possible to access to configure applications or to change any of the account settings. Description: As we mentioned earlier, the HackerOne for Jira application, after installing it, creates an integration between the HackerOne platform and the atlassian where cases can be synchronized from HackerOne to atlassian And vice versa. So, after installation, administrators jira account is allowed to go https://YOUDOMIN.atlassian.net/plugins/servlet/ac/com.hackerone/get-started-with-hackerone-on-jira When going to this page, the following message will appear: {F1196098} When you click on "click here", you will be directed to a link this "https://hackerone.com/apps/atlassian/claim-app?jwt=<TOKEN>" containing JWT parameter to complete the integration process. So. Based on the... ...