Skip to content

JIRA and Tool Configuration credentials exposed in plain text

Moderate
madchap published GHSA-8q8j-7wc4-vjg5 Nov 15, 2020

Package

defectdojo

Affected versions

<1.9.3

Patched versions

>=1.9.3

Description

Impact

What kind of vulnerability is it? Who is impacted?
This vulnerability is one of CWE-200 - exposure of sensitive information to unauthorized actors.

Any DefectDojo instance having at least one JIRA integration configured and using DefectDojo version 1.9.2 or below is exposed.

There were two ways to obtain JIRA credentials without having proper authorization:

  • JIRA passwords were exposed through the django admin portal.
  • JIRA passwords were exposed GET requests via APIv1 and v2.

Moreover the Tool_Configuration was leaking sensitive information as well (ssh, api keys, password fields).

Patches

Has the problem been patched? What versions should users upgrade to?
The problems have been fixed. It is recommended that everyone upgrades to DefectDojo to 1.9.3 or above. It is advised to rotate any JIRA
and Tool Configuration credentials stored in Defect Dojo.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Users could remove JIRA configuration entirely, or eventually deploy reverse-proxy rules to workaround the issue. The latter has not been tested at all, and is merely a suggestion.

References

https://cwe.mitre.org/data/definitions/200.html

For more information

If you have any questions or comments about this advisory:

Please see our security policy for more information. Disclose responsibly any vulnerabilities that you may find.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs