Details
-
Type:
Improvement
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:None
-
Story Points:0.5
-
Epic Link:
-
Sprint:Fall 4 2021 Sep 27 - Oct 8
Description
See:
https://www.acunetix.com/vulnerabilities/web/atlassian-oauth-plugin-iconuriservlet-ssrf/
for possible vulnerability.
Propose course of action to mitigate risk.
Attachments
Activity
| Field | Original Value | New Value |
|---|---|---|
| Epic Link | IGBF-2323 [ 18477 ] |
| Status | To-Do [ 10305 ] | In Progress [ 3 ] |
Apache lets me block access to particular URLs. See documentation https://ubiq.co/tech-blog/apache-deny-access-to-url-files-directory/.
Upgrading the software will take me some time – a couple of days at least. Is it worth the effort to block the above endpoint while working on the upgrade?
| Status | In Progress [ 3 ] | To-Do [ 10305 ] |
Testing configuration:
<LocationMatch "/plugins/servlet/oauth/users/icon-uri*">
Require all denied
</LocationMatch>
When attempted to visit above, observed "access denied" message, which is the desired behavior.
Function of server does not appear to be affected, but upgrading should be a top priority.
| Status | To-Do [ 10305 ] | In Progress [ 3 ] |
| Status | In Progress [ 3 ] | Needs 1st Level Review [ 10005 ] |
| Assignee | Ann Loraine [ aloraine ] |
Useful links:
- Configure virtual host: https://unix.stackexchange.com/questions/140346/can-location-be-for-multiple-virtual-hosts-in-httpd-conf
- Directives: https://unix.stackexchange.com/questions/140346/can-location-be-for-multiple-virtual-hosts-in-httpd-conf
- Apache LocationMatch documentation: https://httpd.apache.org/docs/current/mod/core.html#location
| Status | Needs 1st Level Review [ 10005 ] | First Level Review in Progress [ 10301 ] |
| Status | First Level Review in Progress [ 10301 ] | Ready for Pull Request [ 10304 ] |
| Status | Ready for Pull Request [ 10304 ] | Pull Request Submitted [ 10101 ] |
| Status | Pull Request Submitted [ 10101 ] | Reviewing Pull Request [ 10303 ] |
| Status | Reviewing Pull Request [ 10303 ] | Merged Needs Testing [ 10002 ] |
| Status | Merged Needs Testing [ 10002 ] | Post-merge Testing In Progress [ 10003 ] |
| Resolution | Done [ 10000 ] | |
| Status | Post-merge Testing In Progress [ 10003 ] | Closed [ 6 ] |
| Assignee | Ann Loraine [ aloraine ] |
This URL needs to be blocked:
https://jira.transvar.org/plugins/servlet/oauth/users/icon-uri?consumerUri=Not sure if it will block functionality of the server, or what the normal function of this is.