A security issue was fixed on August, 13th 2021.
Nature of the issue
A security vulnerability was recently identified in Elements Publish to Confluence.
The vulnerability affected version 1.0.6-AC of Elements Publish to Confluence. The vulnerability meant that a Jira administrator could bypass Confluence permissions.
This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS), and existed from August, 5th 2021 to August, 13th 2021.
The vulnerability was brought to our attention by the Atlassian Marketplace Bug Bounty program.
Impact
Based on our investigations, the vulnerability meant that a Jira administrator could get the same permissions as a Confluence administrator and list the pages of a Confluence instance where the Elements Publish to Confluence helper app was installed.
This vulnerability could only be exploited by using tools such as Burp and RequestBin, and not the Jira admin interface. Thus, it required advanced technical skills. No Jira data or Jira end-users were compromised.
Analysis and actions taken
Once we became aware of the issue, we reproduced and identified the problem's origin: a Jira admin could intercept calls made by our app, analyse them, and use them to list Confluence pages. As a solution, we removed all calls made by our app and replace them with calls made by users. Thus, the permissions given to our app will respect stricly the ones defined on the Cloud instance.
This vulnerability is now fixed.
We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.
No further action is required from any user at this point.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com.