2023/01/16 - Security improvements

A security issue was fixed on January, 16th 2023.

Nature of the issue

A security vulnerability was recently identified in Elements Publish.

The vulnerability affected version 1.0.45-AC of Elements Publish. The vulnerability meant that it was possible to publish Jira issue data in a Confluence space that is restricted to the user triggering the recipe from July 16th 2023 to January 16th 2024.

This vulnerability has been rated as low, according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was brought to our attention by the Bug Bounty program. 

Impact

This behavior allows malicious users to create Jira issues with any arbitrary information and publish them in a restricted space impersonating the user configured in the Elements Publish plugin. In this case, such behavior could lead to data loss by overwriting pages from an internal Confluence space. This vulnerability could also be exploited to alter page content or create new pages.

However, this vulnerability requires many conditions:

1. To create a page, parent page must be known (ID + Space Key)
2. To update an existing page:
   1. info of the page and ID of the parent page must be known.
   2. access to the associated Jira issue is needed.

Each one of these conditions require information attacker should normally not have, this is why the criticality was low.

Analysis and actions taken

Once we became aware of the issue, we reproduced and identified the problem's origin: unconditional retrieval of information from the request that triggered execution of the recipe.

Action taken: Depending on the recipe configuration, we now ensure that the user who initiates the recipe execution has the permission to publish under the given parent page.

This vulnerability is now fixed.

We've updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability.

No further action is required from any user at this point.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.elements-apps.com.