A security issue was fixed on August, 13th 2021.
Nature of the issue
A security vulnerability was recently identified in Elements Publish to Confluence.
The vulnerability affected version 1.0.6-AC of Elements Publish to Confluence. The vulnerability meant that a Jira administrator could bypass Confluence permissions.
This vulnerability has been rated as high, according to the scale published on the Common Vulnerability Scoring System (CVSS), and existed from August, 5th 2021 to August, 13th 2021.
The vulnerability was brought to our attention by the Atlassian Marketplace Bug Bounty program.
Impact
Based on our investigations, the vulnerability allowed any authenticated user who consumes a Jira license to create a Confluence page without the corresponding permission.
This vulnerability could only be exploited:
- if at least one recipe is configured in "Manual execution mode", recipes configured to be executed in Post functions were not impacted
- by using HTTP clients like Postman, it was not exploitable through Jira interface. Thus, it required advanced technical skills.
Analysis and actions taken
Once we became aware of the issue, we reproduced and identified the problem's origin: we were not checking that the user executing the recipe had the rights to see/edit the source issue. From now on, the current user permissions on the source issue and on Confluence are checked before executing the recipe.
This vulnerability is now fixed.
We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.
No further action is required from any user at this point.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com.