A security issue was fixed on December, 22th 2020.

Nature of the issue

A security vulnerability was recently identified in Elements Copy & Sync.
The vulnerability affected version 1.0.10-AC of Elements Copy & Sync. The vulnerability meant that Copy & Sync recipe configuration may have been compromised from October, 1st to December, 22th.

This vulnerability has been rated as high, according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was brought to our attention by our own security assessment. 

Impact

Based on our investigations, the vulnerability may have lead Jira users to update Jira issues that were out of their permission scope.

Analysis and actions taken

Once we became aware of the issue, we identified the problem's origin, which was that Jira users with the permission to update an issue could modify the entity properties of this issue to change its synchronization target. Thus, they could potentially write in a target issue that was not the original issue created by the Copy & Sync recipe. Based on what we found, we no longer use Jira entity properties to store synchronisation targets. This vulnerability is now fixed.

Then we worked with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.

No further action is required from any user at this point.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.elements-apps.com.