CVE-2020-36232 in atlassian-gadgets
Summary
by MITRE • 02/23/2021
The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/04/2021
The vulnerability identified as CVE-2020-36232 resides within the MessageBundleWhiteList class of the atlassian-gadgets library, affecting multiple version ranges including 4.2.37 and various releases in the 4.3.x, 4.4.x, and 5.0.x series. This flaw represents a critical security weakness that allows unauthorized DNS resolution and network requests to arbitrary services through improper handling of application base URL information. The vulnerability stems from the library's failure to properly validate or sanitize URL parameters derived from HTTP request objects, creating an environment where attacker-controlled input can be directly processed without adequate security checks.
The technical implementation of this vulnerability occurs when the MessageBundleWhiteList class extracts base URL information from incoming HTTP requests without sufficient validation mechanisms. This processing occurs during the gadget rendering or message bundle handling operations where the system attempts to resolve external resources. When an attacker can manipulate the HTTP request parameters that contain the base URL, they can effectively redirect the system's DNS resolution and network communication to arbitrary endpoints. The flaw operates at the application layer and can be exploited through crafted HTTP requests that manipulate the URL parameters used for gadget configuration and resource resolution.
This vulnerability presents significant operational impact across Atlassian products that utilize the affected gadgets library, particularly those implementing gadget functionality or message bundle processing. Attackers can leverage this weakness to perform DNS tunneling, exfiltrate data through DNS requests, or redirect network traffic to malicious endpoints. The attack surface extends to any system where gadgets are enabled and user-controllable URL parameters are processed without proper validation, potentially enabling information disclosure, command execution, or service disruption. The vulnerability is particularly dangerous because it can be exploited through legitimate application functionality, making detection and prevention more challenging.
Security mitigations for CVE-2020-36232 involve updating to the patched versions of atlassian-gadgets where the MessageBundleWhiteList class properly validates and sanitizes URL information extracted from HTTP requests. Organizations should implement network-level controls to restrict outbound DNS requests and monitor for suspicious DNS resolution patterns. The fix typically involves implementing proper input validation, using allowlists for acceptable URL patterns, and ensuring that URL parameters are properly sanitized before being used in network operations. This vulnerability aligns with CWE-20, which describes improper input validation, and could be mapped to ATT&CK technique T1071.004 for application layer protocol tunneling, where attackers use legitimate application features to bypass security controls.