Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability is one of CWE-200 - exposure of sensitive information to unauthorized actors.
Any DefectDojo instance having at least one JIRA integration configured and using DefectDojo version 1.9.2 or below is exposed.
There were two ways to obtain JIRA credentials without having proper authorization:
- JIRA passwords were exposed through the django admin portal.
- JIRA passwords were exposed GET requests via APIv1 and v2.
Moreover the Tool_Configuration
was leaking sensitive information as well (ssh, api keys, password fields).
Patches
Has the problem been patched? What versions should users upgrade to?
The problems have been fixed. It is recommended that everyone upgrades to DefectDojo to 1.9.3 or above. It is advised to rotate any JIRA
and Tool Configuration credentials stored in Defect Dojo.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users could remove JIRA configuration entirely, or eventually deploy reverse-proxy rules to workaround the issue. The latter has not been tested at all, and is merely a suggestion.
References
https://cwe.mitre.org/data/definitions/200.html
For more information
If you have any questions or comments about this advisory:
Please see our security policy for more information. Disclose responsibly any vulnerabilities that you may find.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability is one of CWE-200 - exposure of sensitive information to unauthorized actors.
Any DefectDojo instance having at least one JIRA integration configured and using DefectDojo version 1.9.2 or below is exposed.
There were two ways to obtain JIRA credentials without having proper authorization:
Moreover the
Tool_Configuration
was leaking sensitive information as well (ssh, api keys, password fields).Patches
Has the problem been patched? What versions should users upgrade to?
The problems have been fixed. It is recommended that everyone upgrades to DefectDojo to 1.9.3 or above. It is advised to rotate any JIRA
and Tool Configuration credentials stored in Defect Dojo.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users could remove JIRA configuration entirely, or eventually deploy reverse-proxy rules to workaround the issue. The latter has not been tested at all, and is merely a suggestion.
References
https://cwe.mitre.org/data/definitions/200.html
For more information
If you have any questions or comments about this advisory:
Please see our security policy for more information. Disclose responsibly any vulnerabilities that you may find.