Email This Issue Security Advisory September 28, 2020

Advisory Key

SA-2020-2

Summary

Critical Security Vulnerability in Email This Issue for Jira Cloud

Incident Description

App configuration and email audit log accessible using specially formatted URL

Customer Affected

All customers of Email This Issue for Jira Cloud

Advisory Release Date

September 28, 2020

Incident status

RESOLVED

About the vulnerability

A Critical vulnerability was discovered on September 17, 2020 by an security incident report submitted via our support portal. The vulnerability meant that with a specially formatted URL, illegal access to administration screens of Email This Issue for Jira Cloud was possible bypassing existing authorizations. If exploited, attacker could have gained access to configuration data and emails stored within the app’s Email Audit Log.

The vulnerability has existed since the initial release of the Cloud App and affected all customers.

Our developers eliminated the threat within a few hours and immediately deployed the fix to all customers.

Was the vulnerability exploited?

Right after fixing the app, we reported the incident to Atlassian and asked for help to determine if the vulnerability has even been exploited. Security investigations executed by Atlassian Application Security experts acknowledged that the logs indicated that the vulnerability was not exploited after it had appeared in the app.

What do you need to do?

You do not need to do anything as the vulnerability has already been fixed right after we got aware of it. It is not possible to exploit it any longer.

What do we do to improve security in our apps?

We are committed to follow the security standards set by Atlassian for Marketplace Vendors.

  • We executed thorough security tests related to Email This Issue for Jira Cloud and the underlying infrastructure. The tests were performed in Q1-Q2 of 2020.

  • We are preparing to execute these tests regularly in the future

  • We participate in Atlassian Marketplace Bug Bounty Program and as part of the program, we have invited security researchers to find any potential security issues in the app. Our Bug Bounty Program is publicly accessible.

  • We have started to get approved in the Atlassian Security Self Assessment Program

Got a question?

If you have any questions, please raise a support request referencing „SA-2020-2” in the summary or send us an email to support@metainf.atlassian.net and include „SA-2020-2” in the subject.

Last updated