Versions Compared

Old Version 7

changes.mady.by.user Alexandra Terék

Saved on

compared with

New Version 8

changes.mady.by.user Alexandra Terék

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Redirect
filename
delay3
locationhttps://docs.meta-inf.hu/email-this-issue/general/email-this-issue-for-jira-cloud-security-advisories/email-this-issue-for-jira-cloud-email-this-issue-security-advisory-september-28-2020

Thank you for visiting our old product documentation site. Note that we

are in the process of migrating our product documentation and soon we will not

no longer store or update our documentation here.

 


Please navigate to our new documentation site and update your bookmarks accordingly. If you're looking for the former content of this page, click here and here.

...

Advisory Key

...

SA-2020-2

...

Summary

...

Critical Security Vulnerability in Email This Issue for Jira Cloud

...

Incident Description

...

App configuration and email audit log accessible using specially formatted URL

...

Customer Affected

...

All customers of Email This Issue for Jira Cloud

...

Advisory Release Date

...

September 28, 2020

...

Incident status

...

Status
colourGreen
titleResolved

Table of Contents

About the vulnerability

A Critical vulnerability was discovered on September 17, 2020 by an security incident report submitted via our support portal. The vulnerability meant that with a specially formatted URL, illegal access to administration screens of Email This Issue for Jira Cloud was possible bypassing existing authorizations. If exploited, attacker could have gained access to configuration data and emails stored within the app’s Email Audit Log.

The vulnerability has existed since the initial release of the Cloud App and affected all customers.

Our developers eliminated the threat within a few hours and immediately deployed the fix to all customers.

Was the vulnerability exploited?

Right after fixing the app, we reported the incident to Atlassian and asked for help to determine if the vulnerability has even been exploited. Security investigations executed by Atlassian Application Security experts acknowledged that the logs indicated that the vulnerability was not exploited after it had appeared in the app.

What do you need to do?

You do not need to do anything as the vulnerability has already been fixed right after we got aware of it. It is not possible to exploit it any longer.

What do we do to improve security in our apps?

We are committed to follow the security standards set by Atlassian for Marketplace Vendors.

  • We executed thorough security tests related to Email This Issue for Jira Cloud and the underlying infrastructure. The tests were performed in Q1-Q2 of 2020.

  • We are preparing to execute these tests regularly in the future

  • We participate in Atlassian Marketplace Bug Bounty Program and as part of the program, we have invited security researchers to find any potential security issues in the app. Our Bug Bounty Program is publicly accessible.

  • We have started to get approved in the Atlassian Security Self Assessment Program

Got a question?

...

.