Vulnerability notification: User Anonymizer for Jira (GDPR)

Summary

Cross-site scripting vulnerabilities in User Anonymizer for Jira (GDPR)

Advisory Release Date

3 November 2020 

Product

User Anonymizer for Jira (GDPR)

Affected Versions

All User Anonymizer for Jira (GDPR) for Jira versions until 2.0.3

Fixed Version

2.0.4

Problem

We were able to identify three security vulnerabilities in our User Anonymizer for Jira (GDPR) app.

The first vulnerability is a stored cross-site scripting (XSS) which allows any user with permissions to inject JavaScript code into the Job Name of “Anonymizer Scheduled Task” form. This malicious code would then be executed in the viewing user's context and allows to perform all actions in the user's scope.

The second vulnerability is a reflected cross-site scripting (XSS) which allows any user with permissions to inject JavaScript code into the parameters of the request of Test anonymization and Execute. This malicious code would then be executed in the viewing user's context and allows to perform all actions in the user's scope.

The third vulnerability is a Cross-Site Request Forgery (XSRF) which may force a user with permissions to start anonymization.

The vulnerabilities have been rated as P2 (High) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

All versions of User Anonymizer for Jira (GDPR) until version 2.0.3 are affected by this vulnerability.

Solution

If you are using an affected version of User Anonymizer for Jira (GDPR), please immediately upgrade to version 2.0.4

Root Cause

For the first two vulnerabilities, because of incorrect escaping, our app would render some information from Jira as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges. The third vulnerability, because of the XSRF security missing token, could cause a user with permissions to execute anonymization unknowingly.