Email This Issue
📈 Marketplace❓ Support❤️ Feedback🏠 META-INF Apps
Email This Issue - for Jira Cloud
Email This Issue - for Jira Cloud
  • ⬇️Overview
  • Email This Issue - for Jira Cloud
  • Features
  • How Email This Issue Works
  • Secure the email channel with Email This Issue
  • Comparing Email This Issue and Jira Cloud
  • 📤Outgoing Emails
    • Outgoing emails overview
    • Manual emails
      • Configuring manual emails
      • Sending manual emails
    • Email notification schemes and email notifications
    • Workflow post functions
    • Advanced email configuration
    • Customizing email templates
    • Canned Responses (default messages)
    • Scope evaluation
  • 📥Incoming Emails (Mail Handlers)
    • Incoming emails overview
  • Mail handlers - adding / editing
    • General handler settings
    • Filtering
    • Finding issues
    • Setting up rules and actions in the actions editor
      • Adding/editing actions
      • Adding recipients to Request Participants
      • Creating an issue
      • Updating an issue
      • Setting field values
      • Adding comments
      • Sending auto-reply emails
      • Executing workflow transitions
      • Creating a customer
      • Using split regexp
      • Conditions
      • Approve request
      • Decline request
    • Maintaining email chains
    • Mail Handler New UI
  • Global Sender Address Filters
  • Attachment Filters
    • Regular Attachment Handling Deprecation
  • 🤓Administration
    • Outgoing Mail Connections
    • Alerting via Webhooks
      • Webhooks
        • Configuring Slack to receive alerts via webhooks
        • Configuring OpsGenie to Receive alerts via webhooks
        • Configuring Microsoft Teams to receive alerts via webhooks
      • Webhook execution logs
    • Mail Queue
    • Email Audit Log
    • Permissions
    • Recipient Restrictions
    • Incoming Mail Connections
    • Email Security
    • Incoming Mail Queue
    • Incoming Mail Log
    • OAuth2 Credentials
      • Enabling OAuth2 Authorization in your Google Account
      • Enabling OAuth2 Authorization in your Microsoft 365 Account
      • Troubleshooting guides for Microsoft OAuth2 Connections
        • How to fix "BAD User is authenticated but not connected" error​
        • How to fix "401 Unauthorized" error
        • How to fix "key expires_in " error
        • How to fix "Need admin approval" error
  • ☁️Server to Cloud Migration
    • 🛫Server to Cloud - Automatic Migration tool
      • Preparing for the migration
      • Doing the migration
      • Finalizing the migration in Cloud
      • Migration with unsupported Jira versions causes errors
    • Server to Cloud - Manual migration guide for Email This Issue
  • ❓FAQ
    • No recipients error in outgoing emails
    • How-to add custom macro to email Template?
    • Why cannot I select custom event types in notification?
    • How to configure the Email This Issue addon user in Jira Cloud?
    • I get an error: Could not create request on behalf of the sender
    • Why is the Incoming Mail Queue size limited?
    • Outgoing mail not sent - Read timeout error
    • Access restriction icon is not appearing when adding internal attachments via Email this Issue
  • 🌪️General
    • Release Notes
    • API
      • API for Velocity Context Objects - 1.7
      • API for Velocity Context Objects
    • Addon Pages
      • Integrity Check
      • Feedback and Support
    • Security Advisories
      • Email This Issue Security Advisory September 28, 2020
    • Appendix
      • Supported Time Zones
    • Integration of Glass Documentation
Powered by GitBook
On this page
  • About the vulnerability
  • Was the vulnerability exploited?
  • What do you need to do?
  • What do we do to improve security in our apps?
  • Got a question?

Was this helpful?

  1. General
  2. Security Advisories

Email This Issue Security Advisory September 28, 2020

PreviousSecurity AdvisoriesNextAppendix

Last updated 3 years ago

Was this helpful?

Advisory Key

SA-2020-2

Summary

Critical Security Vulnerability in Email This Issue for Jira Cloud

Incident Description

App configuration and email audit log accessible using specially formatted URL

Customer Affected

All customers of Email This Issue for Jira Cloud

Advisory Release Date

September 28, 2020

Incident status

RESOLVED

About the vulnerability

A Critical vulnerability was discovered on September 17, 2020 by an security incident report submitted via our support portal. The vulnerability meant that with a specially formatted URL, illegal access to administration screens of Email This Issue for Jira Cloud was possible bypassing existing authorizations. If exploited, attacker could have gained access to configuration data and emails stored within the app’s .

The vulnerability has existed since the initial release of the Cloud App and affected all customers.

Our developers eliminated the threat within a few hours and immediately deployed the fix to all customers.

Was the vulnerability exploited?

Right after fixing the app, we reported the incident to Atlassian and asked for help to determine if the vulnerability has even been exploited. Security investigations executed by Atlassian Application Security experts acknowledged that the logs indicated that the vulnerability was not exploited after it had appeared in the app.

What do you need to do?

You do not need to do anything as the vulnerability has already been fixed right after we got aware of it. It is not possible to exploit it any longer.

What do we do to improve security in our apps?

We are committed to follow the security standards set by Atlassian for Marketplace Vendors.

  • We executed thorough security tests related to Email This Issue for Jira Cloud and the underlying infrastructure. The tests were performed in Q1-Q2 of 2020.

  • We are preparing to execute these tests regularly in the future

  • We have started to get approved in the Atlassian Security Self Assessment Program

Got a question?

We participate in Atlassian Marketplace Bug Bounty Program and as part of the program, we have invited security researchers to find any potential security issues in the app. Our is publicly accessible.

If you have any questions, please raise a referencing „SA-2020-2” in the summary or send us an email to and include „SA-2020-2” in the subject.

🌪️
Bug Bounty Program
support request
support@metainf.atlassian.net
Email Audit Log
About the vulnerability
Was the vulnerability exploited?
What do you need to do?
What do we do to improve security in our apps?
Got a question?