A security issue was fixed on September, 7th 2022.
Nature of the issue
A security vulnerability was recently identified in Elements Copy & Sync.
The vulnerability affected version 1.0.62-AC of Elements Copy & Sync. The vulnerability meant that Copy & Sync API token could be revoked and replaced without authorization from September 5th to September 7th 2022.
This vulnerability has been rated as high, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our attention by the Bug Bounty program.
Impact
Based on our investigations, the vulnerability allows an attacker to create a new Copy & Sync API token and revoke the existing one, and to trigger a Copy & Sync recipe to copy an issue.
This vulnerability can only be exploited if all the following conditions are satisfied:
- at least one recipe is configured and activated
- this recipe targets only one project and one issue type
- the attacker knows the unique recipe identifier
- an API actor has been defined by a Jira admin within Copy & Sync, or if the attacker has access to a user account ID (this is out of scope for this vulnerability)
- by using HTTP clients like Postman, it's not exploitable through Jira interface. Thus, it requires advanced technical skills.
No Jira data or Jira end-user were compromised.
Analysis and actions taken
Once we became aware of the issue, we reproduced and identified the problem's origin: we were not checking that the origin of the requester when setting up the Copy & Sync REST API within the app.
This vulnerability is now fixed.
We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.
No further action is required from any user at this point.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com.