Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Jira Unauthenticated Installed gadgets" module is designed to detect misconfigurations in Jira instances. It specifically focuses on instances that allow unauthorized access to read the installed gadgets and, in some cases, the configuration. This module is created to identify potential security vulnerabilities in Jira installations.
This module targets Jira, a popular project management and issue tracking software developed by Atlassian. It is widely used by organizations to manage their projects, track issues, and collaborate with team members.
The severity of this module is classified as informative, which means it provides valuable information about potential security risks but does not directly exploit any vulnerabilities.
If a Jira instance allows unauthenticated access to read the installed gadgets, it can expose sensitive information to unauthorized individuals. This can include project details, issue tracking data, and potentially confidential information. It is important to address this misconfiguration to ensure the security and privacy of the Jira instance.
The "Jira Unauthenticated Installed gadgets" module works by sending an HTTP GET request to the "/rest/config/1.0/directory" endpoint of the targeted Jira instance. It then applies matching conditions to determine if the instance allows unauthorized access to read the installed gadgets.
The matching conditions used in this module are:
- Matcher 1: It checks if the response body contains the word "jaxbDirectoryContents". This indicates that the instance exposes the installed gadgets. - Matcher 2: It verifies if the response status code is 200, indicating a successful request. This confirms that the instance is accessible.If both matching conditions are met, the module reports a potential misconfiguration in the Jira instance.
Example HTTP request:
GET /rest/config/1.0/directory
It is important to address any misconfigurations identified by this module to prevent unauthorized access to sensitive information in Jira instances.