Skip to main content
Skip table of contents

2020 12 01 - P1 Security issue

A security vulnerability was recently identified and fixed in Elements Connect. Here are the details about the issue, its impact and the analysis and actions taken.

Nature of the issue

The vulnerability affected version 1.1.3-AC of Elements Connect.
The vulnerability means that an Elements Connect administrator could run a system command on Elements Connect server.
This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our notice by the Bug Bounty Program on  .

Impact

Based on our investigations, the vulnerability has not been exploited and no Elements Connect configuration has been leaked.

Analysis and actions taken

Once we became aware of the issue, we first confirmed that we could reproduce it. A plan was then elaborated by the IT team to analyse the situation, bring a fix for the issue and deploy it as quickly as possible.
Our investigations revealed that the problem was caused by an option of FreeMarker - the "BuiltinClassResolver" - that allows execution of system commands from a template.

We deactivated this option, which fixed the problem.

Deployment of the fixed version was conducted by following the usual CI procedure on  .
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.
We then worked with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability. No further action is required from you at this point.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-915".

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.