Atlassian Jira WikiRenderer parser XSS vulnerability

Summary

An exploitable XSS vulnerability exists in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira 7.7.0 Atlassian Jira 8.1.0

Product URLs

<https://www.atlassian.com/software/jira&gt;

CVSSv3 Score

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Details

Parsing of comments or worklogs that use the wikirenderer are susceptible to malformed input which will result in a persistent XSS. The renderer markup format supports setting attributes for embedded images, with an attr=val format. The renderer also supports parsing URLs to create links in the rendered output. However, the renderer also creates URLs for image attributes that have a value starting with http:. Combining these two behaviors allows for creating malformed HTML output. This can be leveraged to execute arbitrary JavaScript.

Exploit Proof-of-Concept

To demonstrate the issue on versions 7.6.4-7.7.0, create an issue comment with the following content:

!https://cdn.cnn.com/cnn/.e1mo/img/4.0/logos/logo_cnn_badge_2up.png|width=http://onmouseover=alert(42);//!

The same issue can be demonstrated on version 8.1.0, using the following content:

!image.png|width=\" onmouseover=alert(42);//!

Timeline

2019-05-14 - Vendor disclosure
2019-09-09 - Vendor patched
2019-09-12 - Public release