Skip to main content
Skip table of contents

2024/08/22 - Security improvements

A security issue was fixed on August 22th 2024.

Nature of the issue

A security vulnerability was recently identified in Elements Overview.
The vulnerability affected version 5.2.0-AC of Elements Overview. The vulnerability meant that Jira Project Admins could give access to internal comments in Jira Service Management customer portal requests, thus allowing privilege escalation.

This vulnerability has been rated as moderate, according to the scale published on the Common Vulnerability Scoring System (CVSS), and existed from June, 26th 2024 to August, 22th 2024.

The vulnerability was brought to our attention by the Atlassian Marketplace Bug Bounty program

Impact

Based on our investigations, the vulnerability meant that a Jira Project Administrator could create an overview that displayed comments from related issues.

In this case, when the comments in question were marked as “Internal” instead of “Public”, they would still be visible in the overview through an error message displaying their content. They could then be visible to customers even though it should not be possible, which created a privilege escalation issue.

It should be noted that this logic flaw could only be exploited if Jira Project Admins created these specific overviews including comments in Jira Service Management customer portal.

Analysis and actions taken

Once we became aware of the issue, we reproduced and identified the origin of the problem: a stack trace including the internal comment content was displayed in place of nothing when internal comments were included in Jira Service Management overviews. As a solution, we removed the possibility to display comments in overviews.

This vulnerability is now fixed.

We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.

No further action is required from any user at this point.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.elements-apps.com.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close