Jira Service Desk Sign Up Detected

low Web App Scanning Plugin ID 113218

Language:

Synopsis

Jira Service Desk Sign Up Detected

Description

Atlassian Jira is a software application used for issue tracking and project management. An internal only Atlassian Jira Service Desk instance may be misconfigured to be accessible to 3rd parties to sign up, potentially leading to attackers creating accounts and raising ticket requests for privileged internal access, and in some cases expose email addresses and other sensitive information contained inside.

Solution

Review the scope of the Atlassian Jira Service Desk. If the detected instance is intended for internal users only restrict access permissions for external accounts to the instance.

See Also

https://medium.com/@intideceukelaire/hundreds-of-internal-servicedesks-exposed-due-to-covid-19-ecd0baec87bd

https://support.atlassian.com/jira-service-management-cloud/docs/customer-permissions-for-your-service-project-and-jira-site/

Plugin Details

Severity: Low

ID: 113218

Type: remote

Family: Web Applications

Published: 4/21/2022

Updated: 4/21/2022

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 284

OWASP: 2010-A8, 2013-A7, 2017-A5, 2021-A1

WASC: Insufficient Authorization

CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578

DISA STIG: APSC-DV-000460

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-1.4.2

PCI-DSS: 3.2-6.5.8