Blog from November, 2023

Oops They Did It Again - And Again!
Metin Savignano posted on Nov 29, 2023

First Confluence

When Atlassian released Confluence 7.0, among other libraries, the Java mail library was updated to a newer version. Unfortunately, it turned out that this version had an issue that made it impossible for S/Notify to properly work any more. It took a while until the problem was finally fixed with another update of the Java mail library in Confluence 7.5.

Then Jira

Jira was still using an old version of the Java mail library that needed an update, too. So in Jira 8.10, Atlassian updated it to the version that was known not to have the issue like in Confluence 7.5. Good job!

However (you knew there would be a however), they did not remove the problem version – maybe from an earlier update of the library, then forgotten after the second? We don’t know, but this lead to strange and unpredictable effects. For example, S/Notify sometimes works and sometimes doesn’t, depending on which library has been loaded – there was no foreseeable pattern.

Atlassian fixed that problem relatively fast in Jira 8.12.

Now Bitbucket

Bitbucket was on an old version for quite long, when Atlassian eventually decided to update the Java mail library. Unfortunately, it looks like the lessons learned from Confluence and Jira had been forgotten. That’s probably why, in Bitbucket 8.16, Atlassian decided to update again to the broken version 1.6.2 of the Java mail library!

We’ve instantly filed a bug report, and now we’re hoping – once again – for Atlassian to get this issue fixed very soon.

Actions To Take

In the meantime, either just don’t upgrade to Bitbucket 8.16+, or, if you need to, after the install of Bitbucket, apply our proven fix as explained here.

Security Advisory 28-Nov-2023
Metin Savignano posted on Nov 20, 2023

Vulnerabilities found in S/Notify

We have fixed the following two vulnerabilities in the S/Notify app, one of which has been assessed a high severity. Unfortunately, it is a general vulnerability, so most customers will be affected. However, we have no reports or other indication of any of these vulnerabilities being actively exploited.

Please refer to to our documentation for full details about the found vulnerabilities, which installations are affected, and how to temporarily mitigate the vulnerabilities:
https://goto.savignano.net/snotify/security_advisory/sntfy-1035

We recommend that you plan to update as soon as possible to our latest fix releases

  • S/Notify for Jira 4.0.2

  • S/Notify for Confluence 4.0.2

  • S/Notify for Bitbucket 2.0.1

With this information, we strive to provide you with optimum transparency. Please reach out to us if you have further questions.

Security Advisory 2-Nov-2023
Metin Savignano posted on Nov 02, 2023

Abstract

CSRF based XSS vulnerability found in S/MIME user upload

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based XSS (Cross Site Scripting) vulnerability that has been found in the S/MIME certificate upload functionality of the User Profile pages of S/Notify for Confluence.

You would be affected when

  • you use S/Notify for Confluence

  • and you have enabled that users can upload their own S/MIME certificates

For further clarification, you are not affected when

  • you use S/Notify for Jira or S/Notify for Bitbucket

  • or you have enabled the PGP key upload and not S/MIME

Description

While a user is logged on, a specifically crafted certificate can be used to inject malicious content that can be executed within the context of the user’s permissions.

The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.

Background

Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS that is based inside the URL can be found on this domain which allows an attacker to control code that is executed within a user’s browser.

From here, an attacker could carry out additional actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.

Business Impact

Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including attempting other malicious attacks, which would appear to originate from a legitimate user.

Assessment

The severity of this vulnerability is considered moderate according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 6.1 (medium) rating in the Common Vulnerability Scoring System.

This vulnerability has been found in a penetration test by a security researcher. We have no reports about it being actively exploited.

Action

Affected versions

Versions up to and including 4.0.0 of S/Notify for Confluence must be considered affected.

Temporary Mitigation

Disallowing users to upload their own S/MIME certificate will remove the vulnerability from your installation. To do so

  1. navigate to the S/Notify User Key Management administration page

  2. on the S/MIME tab, deselect Allow user uploads

Permanent Fix

Download and install our fix release 4.0.1 of S/Notify for Confluence.