A security issue was fixed on June, 1st 2021.
Nature of the issue
A security vulnerability was recently identified in Elements Copy & Sync.
The vulnerability affected version 1.0.25-AC of Elements Copy & Sync. The vulnerability meant that Copy & Sync recipe configuration could have been executed without authorization from October, 1st 2020 to May, 31th 2021.
This vulnerability has been rated as high, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our attention by the Bug Bounty program.
Impact
Based on our investigations, the vulnerability allows any authenticated user who consumes a Jira license to edit issues even if he does not have the "Edit issue" permission.
This vulnerability can only be exploited:
- if at least one recipe is configured in "Manual execution mode", recipes configured to be executed in Post functions are not impacted
- by using HTTP clients like Postman, it's not exploitable through Jira interface. Thus, it requires advanced technical skills.
Analysis and actions taken
Once we became aware of the issue, we reproduced and identified the problem's origin: we were not checking that the user executing the recipe has the rights to see/edit the source or target issue. From now on, the current user permissions on issues are checked before executing the recipe.
This vulnerability is now fixed.
We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.
No further action is required from any user at this point.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com.