2020 12 17 - P2 Security issue
A security vulnerability was recently identified in Elements Connect and fixed on December 17th 2020. Here are the details about the issue, its impact and the analysis and actions taken.
Nature of the issue
The vulnerability affected version 1.1.3-AC of Elements Connect.
The vulnerability means that any non-administrator user logged in Jira Cloud could execute administractions actions (create / delete / update) on Elements Connect configurations related to its Jira Cloud instance.
This vulnerability has been rated as major, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our notice by our developer team on .
Impact
Based on our investigations, the vulnerability has not been exploited and no Elements Connect configuration has been leaked.
Analysis and actions taken
Once we became aware of the issue, we first confirmed that we could reproduce it. A plan was then elaborated by the IT team to analyse the situation, bring a fix for the issue and deploy it as soon as possible.
Our investigations revealed that the problem was caused by permissions check not correctly done on Elements Connect administration REST API endpoints (server side).
We implemented a mechanism to check user permissions on each administration REST API endpoints.
Deployment of the fixed version was conducted by following the usual CI procedure on .
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-885".