Email This Issue Security Advisory September 28, 2020
Last updated
Was this helpful?
Last updated
Was this helpful?
Advisory Key
SA-2020-2
Summary
Critical Security Vulnerability in Email This Issue for Jira Cloud
Incident Description
App configuration and email audit log accessible using specially formatted URL
Customer Affected
All customers of Email This Issue for Jira Cloud
Advisory Release Date
September 28, 2020
Incident status
RESOLVED
A Critical vulnerability was discovered on September 17, 2020 by an security incident report submitted via our support portal. The vulnerability meant that with a specially formatted URL, illegal access to administration screens of Email This Issue for Jira Cloud was possible bypassing existing authorizations. If exploited, attacker could have gained access to configuration data and emails stored within the app’s .
The vulnerability has existed since the initial release of the Cloud App and affected all customers.
Our developers eliminated the threat within a few hours and immediately deployed the fix to all customers.
Right after fixing the app, we reported the incident to Atlassian and asked for help to determine if the vulnerability has even been exploited. Security investigations executed by Atlassian Application Security experts acknowledged that the logs indicated that the vulnerability was not exploited after it had appeared in the app.
You do not need to do anything as the vulnerability has already been fixed right after we got aware of it. It is not possible to exploit it any longer.
We are committed to follow the security standards set by Atlassian for Marketplace Vendors.
We executed thorough security tests related to Email This Issue for Jira Cloud and the underlying infrastructure. The tests were performed in Q1-Q2 of 2020.
We are preparing to execute these tests regularly in the future
We have started to get approved in the Atlassian Security Self Assessment Program
We participate in Atlassian Marketplace Bug Bounty Program and as part of the program, we have invited security researchers to find any potential security issues in the app. Our is publicly accessible.
If you have any questions, please raise a referencing „SA-2020-2” in the summary or send us an email to and include „SA-2020-2” in the subject.