Vulnerability notification: CUTE for Jira and Confluence

Summary

JavaScript code can be injected into the CUTE configuration, cross-site request forgery attack to cute configuration, directory traversal attack during the import of an extension or while adding a resource for an extension

Advisory Release Date

17 November 2020 

Product

CUTE for Jira
CUTE for Confluence

Affected Versions

all version until version 1.5.2

Fixed Version

1.5.3

Problems

We were able to identify security vulnerabilities in the configuration of our CUTE apps.

The first kind of vulnerabilities allows a Confluence/Jira administrator to to inject JavaScript code into the configuration page of an extension. This malicious code would then be executed in the viewing user's context and allows to perform all actions in the user's scope. This vulnerabilities have been rated as P2 (High) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

The second kind of vulnerability allows a cross-site request forgery (XSRF) attack to the configuration of the CUTE apps. The attack could be used to trick a Confluence/Jira administrator administrator into performing any action in the CUTE configuration that attackers chooses . This vulnerabilities have been rated as P2 (High) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

The last kind of vulnerability allows a Confluence/Jira administrator execute code they choose on the server of Confluence/Jira. This vulnerabilities have been rated as P1 (Critical) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

Root Causes

Because of incorrect escaping our app would render user input as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.

The XSRF vulnerability is due to the lack of a XSRF security tokens.

The remote code execution vulnerabilities are caused by our apps being vulnerable to path traversal attacks, which allow the attacker to place files in arbitrary folders in the file system that could then be executed.

Solution

If you are using the CUTE app with any version before 1.5.3, please upgrade to at least version 1.5.3.