Versions Compared

Old Version 4

changes.mady.by.user Yoonjeong Bae

Saved on

compared with

New Version 5

changes.mady.by.user Yoonjeong Bae

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Add Web API DELETE endpoint to delete approvals

Description

new endpoints to be added to Web API

  • DELETE /approvals/ref

  • DELETE /approvals/ref/id

ref - issue key/page id

id - approval id

  1. Jira Legacy
    serverSystem Jira
    serverIdb66650ca-af1e-397f-81f5-9d94924a0a26
    keyAPFJ-491

Unauthorized Access to Private Space Definitions

Description

Summary

Lower privileged users can access any Confluence space's "approval path" definitions, including those for private spaces.

Details

As a proof of concept, observe that user 5e4dabfc393ea90c94b42043 does not have access to the privatespa space in Confluence:

On the left, note the definition ID:179303 created for the private space (by the admin):

...

 

Despite the application access controls, it was possible to bypass this restriction and access the private space definition ID:179303 while authenticated as user 5e4dabfc393ea90c94b42043:

...

 

Impact

In this scenario, the private space definition contains a Slack webhook to send notifications about approvals. An attacker can gain detailed information about approvals, processes, workflows, and integrations of any Confluence space by reading their definitions. Particularly when "webhooks" are used in approval steps, as demonstrated above, possessing the Slack webhook URL allows the attacker to send arbitrary messages to the victim's Slack.

Steps to Reproduce

Setup

  1. As an administrator, install "Approval Path for Confluence".

  2. Create a new private space in Confluence.

  3. Access "Apps > Approval Path > Definitions".

  4. Click "Add Definition".

  5. Name the definition, select the private space, and click "Add Step".

  6. Add any step you want (fill in the required fields).

  7. Save the definition.

  8. For ease of reproduction, copy the definition ID.

Attacker

  1. Log in as a regular user.

  2. Start Burp Suite.

  3. Create a new space or access the user's personal space in Confluence.

  4. Access "Space Settings > Approval Path > Definitions".

  5. In Burp Suite (proxy history), identify the GET /connect/confluence/definitions request and copy the JWT from the jwt= URL parameter.

  6. Submit the request below, replacing {private-definition-id} and {attacker-jwt} with the obtained values:

Code Block
GET /connect/confluence/definition?user_is_admin=false&previewMode=true&viewOnly=true&v=12&id={private-definition-id}&jwt={attacker-jwt} HTTP/1.1
Host: app.approval-path.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)

...

Jira Legacy
serverSystem Jira
serverIdb66650ca-af1e-397f-81f5-9d94924a0a26
keyAPFJ-489

...