A security vulnerability was recently identified and fixed in Elements Connect. Here are the details about the issue, its impact and the analysis and actions taken.
Nature of the issue
The vulnerability affected version 1.1.0-AC of Elements Connect.
The vulnerability means that Elements Connect Cloud items and database configurations of all users may have been read or changed by unintended users. No database password was leaked.
This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our notice by the Bug Bounty Program.
Impact
Based on our investigations, the vulnerability had no impact and was fixed as soon as we have been aware of it. Please note that no database password have been leaked, because there is no endpoint allowing to retrieve them.
It is on the other hand possible that an attacker had access (read/write) to Elements app data (configurations and item options) during the exposed period.
Analysis and actions taken
Once we became aware of the issue, we first confirmed that we could reproduce it. A plan was then elaborated by the IT team to analyse the situation, bring a fix for the issue and deploy it as quickly as possible.
Our investigations revealed that the problem was rooted in the way the Spring Boot instance running our app was (auto-)configured. JEE sessions were not disabled and malicious users were able to make unauthorized REST calls by reusing the session cookie.
We disabled the JEE sessions completely in the app, which fixed the problem.
Deployment of the fixed version was conducted by following the usual CI procedure.
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.
We then worked with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability. No further action is required from you at this point.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECJC-40".