Skip to main content
Skip table of contents

2022 04 12 - P3 Security issue (credentials recovered)

Nature of the issue

This vulnerability was introduced in the public version released in March 3rd 2022 and describes as follows:

A Jira administrator can recover the credentials used in a REST API datasource by changing the base URL. This vulnerability has been rated as  medium as per the scale published on the Common Vulnerability Scoring System (CVSS).

This vulnerability was brought to our notice by the Bug Bounty Program on .


Impact

The impact of this vulnerability is low, as it can only be exploited by a Jira administrator that would want to compromise another Jira administrator of the same Jira site.

Based on our investigations, the vulnerability has not been exploited. 


Analysis and actions taken

After reproducing the issue on our side, an emergency unit was activated to collect all necessary information and investigation findings, perform an impact analysis, and develop a fix for the issue and deploy it the soonest possible.

 To fix the issue, we added a control on the key connection parameters (URLs, logins) when the "Save" and "Test connection" buttons are clicked. If changes in these fields are detected, then the request is not sent and the user is prompted to enter their credentials again to authenticate to the remote service.

 The fixed version was released following the usual CI procedure on .

In addition to automatic integration tests, we conducted thorough non-regression tests manually to confirm the resolution of the issue.

Conclusion

 We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-1709".

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.