2024/10/29 - Security improvements

Nature of the issue

A vulnerability was discovered in the "Elements Publish" app, impacting Jira Cloud instances with public projects. When a Jira project is set to public and a customer (attacker) account exists, the attacker can escalate privileges and access Recipes linked to the public project. This flaw allows unauthorized external users to view data that should only be accessible to internal Jira users.

The vulnerability was brought to our attention by the Atlassian Marketplace Bug Bounty program. 

Impact

This vulnerability allows external attackers to escalate privileges in a sophisticated manner, gaining access to sensitive internal content that should only be available to internal Jira users. This could lead to the exposure of proprietary or sensitive data, impacting the confidentiality of internal processes. The exposure of data was limited to the recipe configuration.

Analysis and actions taken

Once we became aware of the issue, we reproduced and identified the problem's origin by ensuring only internal logged-in users could access the recipe configuration. 

This vulnerability is now fixed.

We have updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.

No further action is required from any user at this point.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.elements-apps.com.