Security vulnerabilities were recently identified and fixed in Elements Connect. Here are the details about these issues, their impact and the analysis and actions taken.

Nature of the issue

Vulnerabilities affected Elements Connect since  .

P2 Security issue

The vulnerability meant that a non-project admin Jira user could add/remove Connected items from a JSW and JWM project issue through the REST API.
This vulnerability has been rated as High, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our notice by the Bug Bounty Program on .

P3 Security issue

Once P2 issue has been fixed, our implementation has been improved to fix an other security issue: A project admin from a project A (JSW or JWM) could add/remove Connected items from a project B (JSW or JWM) issue through the REST API.
This vulnerability has been rated as Medium, according to the scale published on the Common Vulnerability Scoring System (CVSS).

Impact

These vulnerabilities if exploited, would lead to modifications on the mapping between issue types and Connected items.

An attacker with edit permissions on a JSW/JWM project could be able to get values from Connected items that were not aimed to be added to projects he could access.

An attacker without edit permissions on a JSW/JWM projects could not be able to access the values yet could modify a project Elements Connect configuration.

Analysis and actions taken

Once we detected these issues, a plan was elaborated by the IT team to analyse the situation, bring a fix for the issues and deploy it as quickly as possible.
Our investigations revealed that the problem was caused by a lack of authorization check on a new endpoint implementation: implementation successfully required authentication (thus preventing anonymous requests), but failed to restrict authorization to admins only.

We fixed this leak and improved our way to check authorization: we now correctly check that user is a project admin of the specified project.  

Deployment of the fixed version was conducted by following the usual CI procedure.
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-1301" for P2 issue, and "ECC-1350" for P3 issue.