Security firm Palo Alto Networks Inc. has uncovered a serious Server-Side vulnerability in Atlassian Corp. PLC’s Jira issue tracking product that exposes data stored using the product.

The Server-Side Request Forgery vulnerability involves a web application redirecting an attacker’s request to the internal network or localhost behind a set firewall.

Posing a particular threat to cloud services because of the use of the metadata application programming interfaces, the vulnerability allows applications to access the underlying cloud infrastructure’s information such as configurations, logs and credentials. Although metadata API is typically accessible only locally, the vulnerability opens the door to the internet and also bypasses application container sandbox protection.

The security researchers, using Palo Alto Networks’ in-house scanning tools, founded more than 7,000 Jira instances exposed to the internet in public clouds, with 45% vulnerable to the particular vulnerability and 56% of the 3,152 vulnerable hosts leaking cloud infrastructure metadata.

Digital Ocean customers were said to have the highest rate (93%) of data leaks, followed by customers of Google Cloud (80%), Alibaba (71%), Amazon Web Services (68%) and Hetzner (21%). There were zero data leaks from Microsoft Azure because it blocks metadata API SSRF requests by default.

A similar vulnerability is said to have been used in the hack of Capital One Financial Corp. in July that resulted in the theft of more than 100 million customer records.

“SSRF opens the door for internal network reconnaissance, lateral movement and even remote code execution,” the security researchers said. “Sensitive data such as credentials and network architecture may be leaked, and internal services such as database and storage could be exposed. In the worst case, the entire cloud infrastructure could be compromised.”

The issue ultimately comes down to a lack of proper input sanitization by developers. The security researchers recommend that developers should strictly validate the format and pattern of the user input before passing it to the application logic. There are also recommendations for system administrators including domain white-listing, implementation of zero-trust networking principles, use of a Web Application Firewall and ultimately the most logical suggestion of them all: patching and updating applications frequently.

Image: Atlassian