<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:19:34 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2286] X-Okapi-Module-Tokens response header providing access to unauthenticated users</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2286</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;
&lt;p&gt;The X-Okapi-Module-Tokens response header is being returned when making calls to endpoints which have modulePermissions defined.  This header includes an token which can be used like an X-Okapi-Token granting access without ever authenticating. &lt;/p&gt;

&lt;h2&gt;&lt;a name=&quot;Reproducer&quot;&gt;&lt;/a&gt;Reproducer&lt;/h2&gt;
&lt;p&gt;Make a call w/o specifying an X-Okapi-Token to an endpoint which has modulePermissions - NOTE that an X-Okapi-Token isn&apos;t provided here...:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
$ curl $OKAPI/circulation/loans -H &lt;span class=&quot;code-quote&quot;&gt;&quot;X-okapi-tenant: diku&quot;&lt;/span&gt; -v -w&lt;span class=&quot;code-quote&quot;&gt;&apos;\n&apos;&lt;/span&gt;
*   Trying 52.72.80.49...
* Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: *.aws.indexdata.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate &lt;span class=&quot;code-keyword&quot;&gt;public&lt;/span&gt; key: RSA
* 	 certificate version: #3
* 	 subject: CN=*.aws.indexdata.com
* 	 start date: Thu, 23 May 2019 00:00:00 GMT
* 	 expire date: Tue, 23 Jun 2020 12:00:00 GMT
* 	 issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
&amp;gt; GET /circulation/loans HTTP/1.1
&amp;gt; Host: folio-testing-okapi.aws.indexdata.com
&amp;gt; User-Agent: curl/7.47.0
&amp;gt; Accept: */*
&amp;gt; X-okapi-tenant: diku
&amp;gt; 
&amp;lt; HTTP/1.1 403 Forbidden
&amp;lt; Date: Wed, 25 Sep 2019 21:24:33 GMT
&amp;lt; Content-Type: text/plain
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Module-Tokens: {&lt;span class=&quot;code-quote&quot;&gt;&quot;mod-circulation-17.0.0-SNAPSHOT.383&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMzYuMS45NTo0NTk3OF9fMjAxOS0wOS0yNVQyMToyNDozMy4yNjcrMDAwMCIsIm1vZHVsZSI6Im1vZC1jaXJjdWxhdGlvbi0xNy4wLjAtU05BUFNIT1QuMzgzIiwiZXh0cmFfcGVybWlzc2lvbnMiOlsibW9kcGVybXMuY2lyY3VsYXRpb24ubG9hbnMuY29sbGVjdGlvbi5nZXQiXSwicmVxdWVzdF9pZCI6IjE5MDk5N1wvY2lyY3VsYXRpb24iLCJ0ZW5hbnQiOiJkaWt1In0.sGQCtHxwNNi3gSWZctCULRHiHx3O4Sq2xJoT1i64jYw&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;_&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;eyJhbGciOiJIUzI1NiJ9.eyJkdW1teSI6dHJ1ZSwic3ViIjoiVU5ERUZJTkVEX1VTRVJfXzEwLjM2LjEuOTU6NDU5NzhfXzIwMTktMDktMjVUMjE6MjQ6MzMuMjY3KzAwMDAiLCJyZXF1ZXN0X2lkIjoiMTkwOTk3XC9jaXJjdWxhdGlvbiIsInRlbmFudCI6ImRpa3UifQ.w1t8bHOzlAd5EOYeLBOjU8DW9A0DgjvJqVrkds_Ha7U&quot;&lt;/span&gt;}
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.3.0-SNAPSHOT.56 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.95:9132/circulation/loans : 403 3207us
&lt;/span&gt;&amp;lt; 
* Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
Access requires permission: circulation.loans.collection.get
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The 403 response makes sense except for the X-Okapi-Module-Tokens header... when decoded, this particular call gives a token providing the following permissions:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
modperms.circulation.loans.collection.get
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;which expands to a very long list:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
[
        &lt;span class=&quot;code-quote&quot;&gt;&quot;circulation-storage.loans.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;circulation-storage.loan-policies.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;circulation-storage.loan-policies.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.items.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.items.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.locations.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.locations.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.location-units.institutions.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.location-units.campuses.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.location-units.libraries.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.location-units.libraries.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.holdings.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.holdings.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.instances.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.instances.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.material-types.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.material-types.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.service-points.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.service-points.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;users.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.locations.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;accounts.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;usergroups.collection.get&quot;&lt;/span&gt;,
        &lt;span class=&quot;code-quote&quot;&gt;&quot;usergroups.item.get&quot;&lt;/span&gt;
      ]
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;The recent fix for 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;RMB-478&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-478&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;RMB echoes all headers&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            RMB-478
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 appears to fix this, but modules will need to upgrade to a version of RMB that has this fix, and re-release.&lt;/p&gt;</description>
                <environment></environment>
        <key id="81441">FOLIO-2286</key>
            <summary>X-Okapi-Module-Tokens response header providing access to unauthenticated users</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10000" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p1.svg">P1</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d">Jakub Skoczen</assignee>
                                                                <reporter accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</reporter>
                                    <labels>
                            <label>q3.2-2019</label>
                            <label>security</label>
                    </labels>
                <created>Wed, 25 Sep 2019 21:33:40 +0000</created>
                <updated>Wed, 3 Jun 2020 16:40:10 +0000</updated>
                            <resolved>Thu, 26 Sep 2019 16:18:30 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>7</watches>
                                                                <comments>
                                                            <comment id="193611" author="5cf6c546b87c300f36eb7b9a" created="Wed, 25 Sep 2019 21:38:15 +0000"  >&lt;p&gt;We verified that 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;RMB-478&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-478&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;RMB echoes all headers&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            RMB-478
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 helps by locally updating mod-orders to use RMB 27.1.1.  This appears to solve the problem.&lt;/p&gt;

&lt;p&gt;Unfortunately, I doubt all modules affected by this are in a position to simply upgrade to the latest RMB version.&lt;/p&gt;</comment>
                                                            <comment id="193615" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 26 Sep 2019 05:39:59 +0000"  >&lt;p&gt;EDITED&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; &lt;/p&gt;

&lt;p&gt;&lt;del&gt;AFAIK, this problem is only exploitable locally (when making direct calls to the module) hence not as critical as 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-2287&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2287&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Valid X-Okapi-Token (with permissions) returned on invalid login&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            FOLIO-2287
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 which can be exploited by a remote attacker to gain access to the system. I would not consider it a release blocker then, what do you think &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;?&lt;/del&gt;&lt;/p&gt;

&lt;p&gt;We will expedite the fix anyway through 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;OKAPI-763&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/OKAPI-763&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Prevent X-Okapi-Token being returned by a module&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium&quot; /&gt;
            OKAPI-763
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
, to avoid blocking it on RMB upgrades across all modules (which should be done anyway).&lt;/p&gt;</comment>
                                                            <comment id="193619" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 26 Sep 2019 09:06:15 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; have you tried using the leaked tokens to call an API in FOLIO?&lt;/p&gt;</comment>
                                                            <comment id="193624" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 26 Sep 2019 09:46:49 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; Ok, I&apos;ve verfied that is also a remote exploit. I won&apos;t be posting full repro steps here.&lt;/p&gt;</comment>
                                                            <comment id="193628" author="5f8314dfbdef80006f6f572d" created="Thu, 26 Sep 2019 12:53:50 +0000"  >&lt;p&gt;This should be solved by 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;OKAPI-764&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/OKAPI-764&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;X-Okapi-Module-Tokens revealed in response&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            OKAPI-764
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 . X-Okapi-Module-Tokens is an internal request header (never response).&lt;/p&gt;</comment>
                                                            <comment id="193630" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 26 Sep 2019 16:18:30 +0000"  >&lt;p&gt;Verified by &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="54095">OKAPI-764</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="81434">FOLIO-2287</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i006v3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1419">CP: sprint 73</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 26 Sep 2019 05:39:59 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>