Details
-
Type:
Improvement
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:None
-
Story Points:0.5
-
Epic Link:
-
Sprint:Fall 4 2021 Sep 27 - Oct 8
Description
See:
https://www.acunetix.com/vulnerabilities/web/atlassian-oauth-plugin-iconuriservlet-ssrf/
for possible vulnerability.
Propose course of action to mitigate risk.
Attachments
Activity
Apache lets me block access to particular URLs. See documentation https://ubiq.co/tech-blog/apache-deny-access-to-url-files-directory/.
Upgrading the software will take me some time – a couple of days at least. Is it worth the effort to block the above endpoint while working on the upgrade?
Testing configuration:
<LocationMatch "/plugins/servlet/oauth/users/icon-uri*">
Require all denied
</LocationMatch>
When attempted to visit above, observed "access denied" message, which is the desired behavior.
Function of server does not appear to be affected, but upgrading should be a top priority.
Useful links:
- Configure virtual host: https://unix.stackexchange.com/questions/140346/can-location-be-for-multiple-virtual-hosts-in-httpd-conf
- Directives: https://unix.stackexchange.com/questions/140346/can-location-be-for-multiple-virtual-hosts-in-httpd-conf
- Apache LocationMatch documentation: https://httpd.apache.org/docs/current/mod/core.html#location
This URL needs to be blocked:
https://jira.transvar.org/plugins/servlet/oauth/users/icon-uri?consumerUri=Not sure if it will block functionality of the server, or what the normal function of this is.