Important Update Effective February 1, 2024!
Due to recent changes in Jira and Confluence, we've made the tough decision to discontinue the OpenID Connect (OIDC)/OAuth app and no longer provide new versions for the newest Jira/Confluence releases as of January 31, 2024.
This is due to some necessary components no longer shipping with Jira/Confluence, which would require some extensive rewrites of the OIDC App.
Important Update! This app will be discontinued soon!
Due to recent changes in Jira, which no longer ships with some components required for our Read Receipts app to run, we've made the tough decision to discontinue the app, as of Februar 5, 2025.
Important Update! This app will be discontinued soon!
We've made the tough business decision to discontinue the app, as of January 11, 2025.
2020-07-09 - SQL injection Vulnerability
| Summary | Authenticated Users with "Create Token on Behalf" permissions can gain full access to the Jira/Confluence database. |
|---|---|
| Advisory Release Date | - Interim Version |
| Affected Product | |
| Affected versions | 1.3.0, 1.3.1 & 1.4.0 |
| Fixed versions | Versions 1.2.3 and below are not affected by this issue 1.4.x releases the first fixed version → 1.4.1 and above are not vulnerable. |
| CVSS Score | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C Base Score 7.2 Temporal Score 6.7 |
Summary
This advisory discloses a critical severity security vulnerability affecting our API Token Authentication Products in the versions from 1.3.0 - 1.4.0.
An authenticated user with the Permissions to create tokens on behalf of other users can gain full access to the Jira/Confluence Database.
Please upgrade your Installations to 1.4.1 or newer to fix this vulnerability.
Details
Today () we received a submission via our Bugcrowd Bung bounty program, of this critical security vulnerability.
We will disclose the exact steps to reproduce/exploit this vulnerability by 6 a.m CET - to leave our customers some time to put mitigations/fixes in place.
The vulnerability allows an authenticated User, who has the permission in our plugin to create tokens on behalf of other users, to gain full access to the host products (jira/confluence) database.
Generally, the "Create Token on Behalf" permission is only given to administrators or not used at all - this often serves as natural mitigation of the Issue.
A fixed version 1.4.1 & 1.3.2 has been available in the Marketplace since 11 a.m CET (5 hours after the original bug crowd submission).
What You Need to Do
Upgrade
Upgrade your installation to version 1.4.1 or newer. If you are currently on 1.3.0 or 1.3.1 you can also choose to upgrade to 1.3.2 which has been released to contain this fix.
Other Mitigations / Workarounds
If you cannot upgrade our plugin right now - here are two more possible mitigations/workarounds
Remove the "Create token on behalf" permission from all Users.
Confluence/Jira Administration → API Token Authentication → Go to the "Permissions" Tab.
At the Section "Create Token On Behalf Permission", remove all Groups from the Setting "Groups with create token on behalf permission".
It should look like this afterward:
→ Save the config.
Accept the Risk
Based on your deployment, you could also choose to accept the Risk without any changes. Generally, Permission to create tokens on behalf of other users is only given to highly privileged groups like Administrators.
Administrators often already have or can gain (by installing an addon) full DB access already, so that they don't need to rely on this vulnerability to do this.
Support
If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.