Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackerone0619H1:955286
HistoryAug 10, 2020 - 11:02 p.m.

HackerOne: Graphql: Sorting the reports by jira_status field resulted to different value

2020-08-1023:02:01
0619
hackerone.com
102
JSON

**Summary:**Sorting the reports by jira_status yield to different result depicting the team is using jira even the user has no access.Description:
A user with no access to jira information of any reports can somehow access the jira field using order_by through jira_status
Using the 2 graphql below we can see the discrepancies of total_count for the test teams i will mention:

Test Teams:

  1. █████████
    order_by:field:id = total_count: 10
    order_by field:jira_status= total_count :11
  2. ██████████ :
    order_by:field:id = total_count: 458
    order_by field:jira_status= total_count :466
  3. ████
    order_by:field:id = total_count: 299
    order_by field:jira_status= total_count :309
  4. ███
    order_by:field:id = total_count: 109
    order_by field:jira_status= total_count :110

Graphql Query using field id inorder_by as criteria it will yield same result except for the field of jira_status

{
  reports(where: {team: {handle: {_eq: "██████"}}}, order_by: {direction: ASC, field: id}) {
    total_count
    nodes {
      substate
      jira_escalation_state
      jira_escalation_last_state_change_at
      created_at
      disclosed_at
      extracted_report_data {
        hosts
      }
      title
      url
      team {
        handle
      }
      reporter {
        username
      }
    }
  }
}

Please change the field in sort_by to jira_status to display different result.

Below is part of the response using jira_status as the field, please notice that jira_escalation_stateand jira_escalation_last_state_change_at has null values meaning a ==public user don;t have access to this information.==
{
“data”: {
“reports”: {
==“total_count”: 11, ==
“nodes”: [
{
“substate”: “resolved”,
“jira_escalation_state”: null,
“jira_escalation_last_state_change_at”: null,
“created_at”: “2019-09-18T11:57:36.488Z”,
“disclosed_at”: “2020-04-21T02:53:04.699Z”,
“extracted_report_data”: null,
“title”: “███”,
“url”: “███”,
“team”: {
“handle”: “████████”
},
“reporter”: {
“username”: “█████”
}
},

Additional information: I dig more on the discrepancies and checked the returned reports 1 by 1 to and compare result, in Team ███████, the report ███████ appeared twice because of the sort_by jira_status.

Thank you.
Ariel

Impact

Due to improper access control in the sort_by of jira_status field any user can give an idea which report are using jira even if the user has no access jira information.

JSON