Summary

Authenticated Users with "Create Token on Behalf" permissions can gain full access to the Jira/Confluence database.

Advisory Release Date

 - Interim Version

Affected Product

API Token Authentication Jira

API Token Authentication Confluence

Affected versions

1.3.0, 1.3.1 & 1.4.0

Fixed versions

Versions 1.2.3 and below are not affected by this issue

1.4.x releases the first fixed version → 1.4.1 and above are not vulnerable.
1.3.2 has been released as a maintenance release, containing the fix too.

CVSS ScoreCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Base Score 7.2
Temporal Score 6.7


Summary

This advisory discloses a critical severity security vulnerability affecting our API Token Authentication Products in the versions from 1.3.0 - 1.4.0.
An authenticated user with the Permissions to create tokens on behalf of other users can gain full access to the Jira/Confluence Database.

Please upgrade your Installations to 1.4.1 or newer to fix this vulnerability. 

Details

Today () we received a submission via our Bugcrowd Bung bounty program, of this critical security vulnerability.

We will disclose the exact steps to reproduce/exploit this vulnerability by 6 a.m CET - to leave our customers some time to put mitigations/fixes in place.

The vulnerability allows an authenticated User, who has the permission in our plugin to create tokens on behalf of other users, to gain full access to the host products (jira/confluence) database.
Generally, the "Create Token on Behalf" permission is only given to administrators or not used at all - this often serves as natural mitigation of the Issue

A fixed version 1.4.1 & 1.3.2 has been available in the Marketplace since 11 a.m CET (5 hours after the original bug crowd submission).

What You Need to Do


Upgrade

Upgrade your installation to version 1.4.1 or newer. If you are currently on 1.3.0 or 1.3.1 you can also choose to upgrade to 1.3.2 which has been released to contain this fix.


Other Mitigations / Workarounds

If you cannot upgrade our plugin right now - here are two more possible mitigations/workarounds

Remove the "Create token on behalf" permission from all Users.

Confluence/Jira Administration → API Token Authentication → Go to the "Permissions" Tab.

At the Section "Create Token On Behalf Permission", remove all Groups from the Setting "Groups with create token on behalf permission". 

It should look like this afterward:

→ Save the config.


Accept the Risk

Based on your deployment, you could also choose to accept the Risk without any changes. Generally, Permission to create tokens on behalf of other users is only given to highly privileged groups like Administrators. 
Administrators often already have or can gain (by installing an addon) full DB access already, so that they don't need to rely on this vulnerability to do this.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.