2021 01 13 - P3 Security (SSRF) issue
A security vulnerability was recently identified in Elements Connect and fixed on January 6th 2021. Here are the details about the issue, its impact and the analysis and actions taken.
Nature of the issue
The vulnerability affected first public version of Elements Connect.
The vulnerability meant that a Jira administrator could list all open ports on external database host (SSRF issue)
This vulnerability has been rated as medium, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our notice by the Bug Bounty Program on .
Impact
Based on our investigations, the vulnerability has not been exploited.
Analysis and actions taken
Once we became aware of the issue, we first confirmed that we could reproduce it. Lately, we made changes on our app architecture which does not allow this issue to be reproduced anymore.
Deployment of the fixed version was conducted by following the usual CI procedure on .
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-902".