Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Jira Unauthenticated Installed gadgets

By kannthu

Informative
Vidoc logoVidoc Module
#atlassian#jira
Description

What is "Jira Unauthenticated Installed gadgets?"

The "Jira Unauthenticated Installed gadgets" module is designed to detect misconfigurations in Jira instances. It specifically focuses on instances that allow unauthorized access to read the installed gadgets and, in some cases, the configuration. This module is created to identify potential security vulnerabilities in Jira installations.

This module targets Jira, a popular project management and issue tracking software developed by Atlassian. It is widely used by organizations to manage their projects, track issues, and collaborate with team members.

The severity of this module is classified as informative, which means it provides valuable information about potential security risks but does not directly exploit any vulnerabilities.

Impact

If a Jira instance allows unauthenticated access to read the installed gadgets, it can expose sensitive information to unauthorized individuals. This can include project details, issue tracking data, and potentially confidential information. It is important to address this misconfiguration to ensure the security and privacy of the Jira instance.

How the module works?

The "Jira Unauthenticated Installed gadgets" module works by sending an HTTP GET request to the "/rest/config/1.0/directory" endpoint of the targeted Jira instance. It then applies matching conditions to determine if the instance allows unauthorized access to read the installed gadgets.

The matching conditions used in this module are:

- Matcher 1: It checks if the response body contains the word "jaxbDirectoryContents". This indicates that the instance exposes the installed gadgets. - Matcher 2: It verifies if the response status code is 200, indicating a successful request. This confirms that the instance is accessible.

If both matching conditions are met, the module reports a potential misconfiguration in the Jira instance.

Example HTTP request:

GET /rest/config/1.0/directory

It is important to address any misconfigurations identified by this module to prevent unauthorized access to sensitive information in Jira instances.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/rest/config/1.0/dir...
Matching conditions
word: jaxbDirectoryContentsand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability