Security audit - Cloud (03/03/2025)

Open

Introduction

This document reports the security audit results of the Confluence and Jira plugins “Requirement Yogi Cloud”, “Requirement Yogi for Jira Cloud”, Requirement Yogi Standalone application and the Keycloak authentication platform developed by the company Requirement Yogi.

Néosoft did the audit between for a week in January 2025.

Requirement Yogi provided three accounts: Super Admin, Admin and User.

N.B: the results come from 4 days of audit. Thus, they may be only a subset of what an attacker with no time limit can find.

Risk analysis summary

The main risks which the auditor was asked to focus on were:

• Data injection,

• Security Misconfiguration.

During the audit, the auditor has determined a unique scenario that could impact the company Requirement Yogi:

• The cookies used by the main application do not have a configured "SameSite" security attribute.
  The "SameSite" attribute helps mitigate the risks associated with Cross-Site Request Forgery (CSRF) attacks. In this case, the absence of this protection makes the application more vulnerable to potential CSRF attacks.
  Likelihood : 1 (Low)
  Potential impact : 1 (Low)
  Note : This point cannot be corrected because the OAuth authentication (Keycloak) uses the cookie for authentication across all our websites (c.f. explaination by the Keycloak team ). As this issue is associated with a very low criticality, it was decided to rate it as a false-positive.

Risk assessment grades

Open

General overview

Strength

✓ Very limited potential attack surface

✓ No injections identified (XSS, SQLi, SSTI, ...)

✓ No access control issues found

✓ JWT session tokens well signed / secured

✓ No file upload vulnerabilities found

✓ Security good practices generally taken into account

✓ Quick implementation of the identified improvements

Possible improvements

❖ Excel formula injection in exportable data

❖ Access to Swagger documentation without authentication

Conclusion

During the audit, no critical or high vulnerabilities were found by the auditor.

By focusing on the security picture only, the plugin Requirement Yogi Cloud is at a good level.

An attacker will certainly take a considerable amount of time to find and exploit a potential vulnerability in the API. Thus, an attacker would try gaining access to the system by other meanings, like stealing the AWS credentials, doing a phishing attack on employees or other.

The global security score assigned to the service is A, meaning that no critical vulnerability has been identified.

For one application, the application's cookies, including session cookies, lack the SameSite security attribute, increasing the risk of Cross-Site Request Forgery (CSRF) attacks that could exploit unauthorized requests. But it was decided to rate it as false-positive (see paragraph above).

Positive aspects were also identified, such as the absence of injection possibilities like XSS or SQLi and the absence of reported file upload vulnerabilities. In addition, the service generally adheres to security best practices, including correct input validation, secure coding standards and regular updates.