The firefighter-incident application by ManoManoTech contains a missing authentication vulnerability (CWE-306) in the POST /api/v2/firefighter/raid/jira_bot endpoint before version 0.0.54. This endpoint is incorrectly configured to allow unauthenticated access despite documentation indicating a Bearer token requirement. It fetches attachments from arbitrary URLs without validation and uploads them to Jira tickets. This allows unauthenticated attackers to force the server to retrieve arbitrary URLs, potentially exfiltrating sensitive data. On AWS EC2/EKS deployments lacking IMDSv2 enforcement, attackers can steal temporary AWS credentials linked to the pod's IAM role. The vulnerability is addressed in version 0.0.54. The service is cloud-hosted, and remediation is managed by the vendor.

An unauthenticated attacker can exploit this vulnerability to make the server fetch arbitrary URLs and upload their content as Jira attachments, leading to potential data exfiltration. In AWS EC2/EKS environments without IMDSv2 enforcement, this can escalate to theft of temporary AWS credentials associated with the pod's IAM role, enabling further compromise. The vulnerability has a CVSS score of 9.9, indicating critical severity with high confidentiality impact, limited integrity impact, and limited availability impact.

A fix is available in firefighter-incident version 0.0.54, which enforces proper authentication on the affected endpoint. Since this is a cloud-hosted service, the vendor manages remediation server-side. Users should verify that their deployments are updated to version 0.0.54 or later. Additionally, enforcing IMDSv2 on AWS EC2/EKS deployments mitigates the risk of credential theft. Check the vendor advisory for confirmation and further guidance.