Skip to content
Nuclei Templates

Atlassian Jira Service Desk Signup

ID: jira-servicedesk-signup

Severity: medium

Author: TechbrunchFR

Tags: atlassian,servicedesk,jira,confluence

Description

Section titled “Description”

This instance of Atlassian JIRA is misconfigured to allow an attacker to sign up (create a new account) just by navigating to the signup page that is accessible at the URL /servicedesk/customer/user/signup. After the attacker has created a new account it’s possible for him/her to access the support portal.

YAML Source

Section titled “YAML Source”
id: jira-servicedesk-signup


info:
  name: Atlassian Jira Service Desk Signup
  author: TechbrunchFR
  severity: medium
  description: This instance of Atlassian JIRA is misconfigured to allow an attacker to sign up (create a new account) just by navigating to the signup page that is accessible at the URL /servicedesk/customer/user/signup. After the attacker has created a new account it's possible for him/her to access the support portal.
  reference:
    - https://www.acunetix.com/vulnerabilities/web/atlassian-jira-servicedesk-misconfiguration/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-287
    cpe: cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    shodan-query: http.component:"Atlassian Jira"
    product: jira_service_management
    vendor: atlassian
  tags: atlassian,servicedesk,jira,confluence


http:
  - raw:
      - |
        GET /servicedesk/customer/user/signup HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /servicedesk/customer/user/signup HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Origin: {{RootURL}}
        Referer: {{RootURL}}/servicedesk/customer/user/signup


        {"email":"","fullname":"{{randstr}}","password":"","captcha":"","secondaryEmail":""}
      - |
        GET /secure/Signup!default.jspa HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /secure/Signup.jspa HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Origin: {{RootURL}}
        Referer: {{RootURL}}/secure/Signup.jspa


        email=&fullname={{randstr}}&username=&password=&Signup=Sign+up


    stop-at-first-match: true
    matchers:
      - type: word
        words:
          - 'signup.validation.errors'
          - 'signup-username-error'
        condition: or
# digest: 4a0a0047304502206c30d3ef213e5c172f390fe3aa5ce01f896f61f900121f8374a7f00e9479e7aa022100c2e2e0265c24e2147362aac5b8e9837344743f96190f17fd6446a263dbf82072:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/jira/jira-servicedesk-signup.yaml"

View on Github