2024-08-29 - P3 Security Issue

Nature of the issue

This vulnerability was introduced in the app initial version released on June 3rd 2024 and describes as follows: an unauthorized user can invoke Forge functions using GraphQL.

This vulnerability was brought to our notice by the Bug Bounty Program on 29 June 2024.

Impact

The impact of this vulnerability is moderate.

A regular Jira user (originally without access to Elements Pulse in Jira) could potentially access certain administrative settings in Elements Pulse by manipulating network requests and perform administrative actions within the application (delete profile, create survey, set goals).

Based on our investigations, the vulnerability has not been exploited. 

Analysis and actions taken

After reproducing the issue on our side, a unit was activated to collect all necessary information and investigation findings, and develop a fix for the issue and deploy it the soonest possible.

To fix the issue, we added security checks on all services impacted. Users rights are now checked each time a Forge function is called.

 The fixed version was released following the usual CI procedure on 29 August 2024.

We conducted thorough non-regression tests manually to confirm the resolution of the issue.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "XLA-162".