Jira Credential Disclosure within Mozilla Slack
Critical
M
Mozilla
Submitted None
Team Summary
Official summary from Mozilla
The reporter who is an NDA'd contributor with access to internal Mozilla slack instance found a Jira admin API token hard-coded in a script which was shared in a public slack channel. The API key was revoked and the script was deleted from the public channel.
Actions:
Reported by
griffinf
Vulnerability Details
Technical details and impact analysis
## Summary:
I was able to find Jira Admin API Keys disclosed within Mozilla's #███ Slack channel which was posted by a staff member of Mozilla.
## Steps To Reproduce:
1.Navigate to the following file -█████
2.Observe the exposed credentials on line 310-312 of the Python Script.
3. Verify Groups with the following CURL request - `curl -u "██████:ATATT3xFfGF0V99l_█████████551CCC5D" -H "Content-Type: application/json" https://mozilla-hub.atlassian.net/rest/api/3/user/groups?accountId=████████`
4. Observe the following output which shows that the user is a Jira Administrator, Administrator and Jira Service Desk user etc.
[{"name":"jira-servicedesk-users","groupId":"███","self":"███████:"jira-administrators","groupId":"████████","self":██████:"jira-software-users","groupId":"███","self":██████████:"jira-servicemanagement-customers-mozilla-hub","groupId":"██████████","self":███:"site-admins","groupId":"████████","self":██████:"administrators","groupId":"██████████","self":██████:"Managers","groupId":"█████","self":██████"}]
## Impact
## Summary:
Admin API credentials provide elevated privileges that can grant access to all projects, user accounts, configurations, and other sensitive data stored in Jira.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1000.00
Submitted
Weakness
Information Disclosure