Security Advisory for incident SA20201.

About the vulnerability

The vulnerability has been discovered affecting the Email audit log and its items in all versions of the app. It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.

The potential threat arises from expanding the Email details in the Email Audit Log and clicking on the malicious links. Therefore we recommend you take extra care opening the body of the emails and clicking the links in the Emails shown in the issue screen or in the Email Audit Log under the app's administration page until the app is updated to the latest version.

Below is an exact example with a screenshot:

This threat is only present in incoming emails, outgoing emails are not affected. Therefore if you are not using Email This Issue's mail handler for incoming email processing, you are safe.

Once we became aware of the vulnerability, we considered our options and fixed it immediately.

How to fix the vulnerability

If you are using version 8.0.0 of the application

Vulnerability enhancement does not include new features and requires no further action on your part. Upgrade to 8.0.1 as usual and let us know if you notice anything unusual.

If you are using version 7.1.5 of the application

You can safely upgrade to version 8.0.1. 8.0.0 contains two major enhancements, but it does not explicitly affect current configurations.

If you are using an older version of the application

We recommend that you upgrade to the latest version, but read the release notes carefully and check your system first.

The official instructions for updating the application are available on the Atlassian support page.

Workaround

If you are unable to update Email This Issue for Jira to version 8.0.1, please follow the below steps as a temporary workaround:

1. Navigate to Email This Issue administration’s General Configuration

2. Select „Hide” in the Email Audit Log’s dropdown menu.

Note that this workaround can be applied to versions 5.3 or higher.

As a result, no users will be able to see the Emails tab on the bottom of the issue page (hence the ability to click on any links is eliminated). Administrator users will still be able to browse the email audit log in Email This Issue’s administration page.

If you have any questions, please raise a support request referencing „SA-20201” in the summary or send us an email to support@metainf.atlassian.net and include „SA-20201” in the subject.

FAQ

Q: Am I vulnerable if I use Jira’s internal mail handler? A: No, you are not. You’re only affected if you are using Email This Issue’s mail handler to process incoming emails.

Q: Am I vulnerable if I use my Jira in an intranet? A: Yes, unfortunately, you are. Being affected does not depend on using Jira in an intranet setting but on incoming emails from unreliable sources being processed.