Comment on page
Email This Issue Security Advisory 2020-02-18
Security Advisory for incident SA20201.
About the vulnerability
The potential threat arises from expanding the Email details in the Email Audit Log and clicking on the malicious links. Therefore we recommend you take extra care opening the body of the emails and clicking the links in the Emails shown in the issue screen or in the Email Audit Log under the app's administration page until the app is updated to the latest version.
Below is an exact example with a screenshot:
This threat is only present in incoming emails, outgoing emails are not affected. Therefore if you are not using Email This Issue's mail handler for incoming email processing, you are safe.
Once we became aware of the vulnerability, we considered our options and fixed it immediately.
How to fix the vulnerability
If you are using version 8.0.0 of the application
Vulnerability enhancement does not include new features and requires no further action on your part. Upgrade to 8.0.1 as usual and let us know if you notice anything unusual.
If you are using version 7.1.5 of the application
You can safely upgrade to version 8.0.1. 8.0.0 contains two major enhancements, but it does not explicitly affect current configurations.
If you are using an older version of the application
We recommend that you upgrade to the latest version, but read the release notes carefully and check your system first.
If you are unable to update Email This Issue for Jira to version 8.0.1, please follow the below steps as a temporary workaround:
- 1.Navigate to Email This Issue administration’s General Configuration
- 2.Select „Hide” in the Email Audit Log’s dropdown menu.
Note that this workaround can be applied to versions 5.3 or higher.
As a result, no users will be able to see the Emails tab on the bottom of the issue page (hence the ability to click on any links is eliminated). Administrator users will still be able to browse the email audit log in Email This Issue’s administration page.
Q: Am I vulnerable if I use Jira’s internal mail handler? A: No, you are not. You’re only affected if you are using Email This Issue’s mail handler to process incoming emails.
Q: Am I vulnerable if I use my Jira in an intranet? A: Yes, unfortunately, you are. Being affected does not depend on using Jira in an intranet setting but on incoming emails from unreliable sources being processed.