Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Abstract

We have fixed the following two vulnerabilities in S/Notify for Jira, S/Notify for Confluence and S/Notify for Bitbucket

CSRF based vulnerability in S/Notify configuration pages

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based vulnerability that has been found in the configuration of S/Notify.

You would be affected when on of the following conditions apply

  • you use S/Notify for Jira with Jira in a version before 9.0

  • you use S/Notify for Jira with Jira Service Management before 5.0

  • you use S/Notify for Confluence

  • you use S/Notify for Bitbucket

We recommend that you update S/Notify as soon as possible if you are affected

For further clarity, this vulnerability does not apply in any of the following cases:

  • you use S/Notify for Jira with in Jira in version 9.0 or newer 👍

  • you use S/Notify for Jira with Jira Service Management in version 5.0 or newer 👍

Description

While an administrative user is logged on, the configuration settings of S/Notify can be modified using a CSRF attack.

The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website.

Background

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain.

From here, an attacker could carry out additional actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions.

Business Impact

If executed while an administrator is logged on to Jira, Confluence or Bitbucket, an attacker could use the vulnerability to modify the configuration of the S/Notify app on that host. This can especially lead to email notifications being no longer encrypted when they should be.

Assessment

This vulnerability is considered severe according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 8.3 (high) rating in the Common Vulnerability Scoring System.

This vulnerability has been found in a penetration test by a security researcher. We have no reports about it being actively exploited.

Action

Affected versions

Versions up to and including 4.0.1 of S/Notify for Jira and Confluence, as well as versions up to and including 2.0.0 of S/Notify for Bitbucket must be considered affected.

Temporary Mitigation

Administrative users should logout of Jira, Confluence, or Bitbucket when they no longer need administrative access to the application. This effectively prevents the abuse of the vulnerability.

Permanent Fix

Download and install our fix releases where applicable

  • S/Notify for Jira 4.0.2

  • S/Notify for Confluence 4.0.2

  • S/Notify for Bitbucket 2.0.1

CSRF based vulnerability in user upload

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based vulnerability that has been found in the upload functionality of the User Profile pages of S/Notify. It also affects the customer upload functionality in Jira Service Management.

You would be affected when one of the following conditions apply

  • you use S/Notify for Jira with Jira in a version before 9.0
    and you have enabled users to upload their own S/MIME certificate or PGP key

  • you use S/Notify for Jira with Jira Service Management in a version before 5.0
    and you have enabled users to upload their own S/MIME certificate or PGP key

  • you use S/Notify for Jira with Jira Service Management
    and you have enabled customers to upload their own S/MIME certificate or PGP key

  • you use S/Notify for Confluence

  • you use S/Notify for Bitbucket

For further clarity, this vulnerability does not apply in any of the following cases:

  • in Jira: you use Jira in version 9.0 or newer 👍

  • in Jira, Confluence, or Bitbucket: you have not enabled users to upload their own S/MIME certificate or PGP key 👍

  • in Jira Service Management: you have not enabled users nor customers to upload their own S/MIME certificate or PGP key 👍

  • in Jira Service Management: you use Jira Service Management in version 5.0 or newer
    and you have not enabled customers to upload their own S/MIME certificate or PGP key 👍

Description

While a user is logged on, the user’s or customer’s S/MIME certificate or PGP key can be replaced using a CSRF attack.

The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.

Background

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain.

From here, an attacker could carry out additional actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions.

Business Impact

If executed while the user is logged on to Jira, Confluence or Bitbucket, an attacker could use the vulnerability to upload a specifically crafted S/MIME certificate or PGP key for the user, which would then be used to encrypt the email to that user. However, since this modification would lead to the user no longer being able to decrypt and read their notifications, the attack would not go unnoticed for long.

We therefore consider the impact of this vulnerability to be very limited.

Assessment

The severity of this vulnerability is considered low according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 3.1 (low) rating in the Common Vulnerability Scoring System.

This vulnerability has been found and verified within our own test environment. We have no reports about it being actively exploited.

Action

Affected versions

Versions up to and including 4.0.1 of S/Notify for Jira and Confluence, as well as versions up to and including 2.0.0 of S/Notify for Bitbucket must be considered affected.

Temporary Mitigation

If feasible, disable the user and/or customer upload functionality. This effectively removes the vulnerability.

Permanent Fix

Download and install our fix releases where applicable

  • S/Notify for Jira 4.0.2

  • S/Notify for Confluence 4.0.2

  • S/Notify for Bitbucket 2.0.1

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.