2024 08 01 - P1 Security issue
A security vulnerability was recently identified and fixed in Elements Connect. Here are the details about the issue, its impact and the analysis and actions taken.
Nature of the issue
The vulnerability was present since the version of Elements Connect for Jira Cloud published on (configuration tester additional feature).
The vulnerability meant that a Jira admin could access API key secret (query param mode) for URL datasources.
This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was detected by our team on and fixed on
Impact
The impact of this vulnerability is reduced by the fact that it can only be exploited by a Jira administrator that would want to compromise another Jira administrator of the same Jira site.
Based on our investigations, the vulnerability has not been exploited.
Analysis and actions taken
Once we detected the issue, a plan was then elaborated by the IT team to analyse the situation, bring a fix for the issue and deploy it as quickly as possible.
Our investigations revealed that the problem was caused by a lack of checks on the configuration tester for API datasources sending API key secret in request headers.
We deleted this feature on the configuration tester to prevent any admin user to access secret.
Deployment of the fixed version was conducted by following the usual CI procedure.
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-3389".