Inbox for Jira Security Advisory 2021-10-17
Summary | Vulnerability 2: Lack of privilege separation |
---|---|
Advisory release date | 2021-10-17 |
Product |
|
Affected versions | Inbox for Jira app - Marketplace download version:
|
Fixed versions - Inbox for Jira Marketplace App | 5.0.3 |
CVEÂ ID(s) | Â |
Summary of vulnerability
This advisory discloses a critical severity security vulnerability in versions of the Inbox for Jira app prior to 5.0.3.Â
Customers who have upgraded to Inbox for Jira version 5.0.3Â aren't affected.
If you've downloaded and installed any versions listed in the Affected versions section, you must upgrade your installations to fix this vulnerability.Â
Vulnerability 2: Lack of privilege separation
Severity
Rixter AB rates the severity level of this vulnerability as critical, according to the scale published in Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
The endpoint /rest/inbox/1.0/settings/global responsible for changing the global settings does not validate whether the user is an admin or not. This allows any arbitrary user to modify the global settings.
Acknowledgments
The issue was discovered by michael.anastasakis@klarna.com of Klarna Bank AB via their internal security program.
Fix
We have taken the following steps to address this issue:
Released versions 5.0.3 of Inbox for Jira Data Center and Server
What you need to do
Rixter AB recommends that you upgrade to the latest fix version.
Upgrade
Click install in the Manage Apps section of your Jira instance or go to https://marketplace.atlassian.com/apps/1217318/inbox-in-app-notifications-for-jira?tab=overview&hosting=datacenter and download the app and install it manually
App version | Application compatibility |
---|---|
5.0.3 | https://marketplace.atlassian.com/apps/1217318/inbox-in-app-notifications-for-jira/version-history |
Support
If you have questions or concerns regarding this advisory, raise a support request at https://rixter.atlassian.net/servicedesk/customer/portal/2
References
Rixter AB work with one track of versions which requires the customer to upgrade to the latest version to withhold the security. Rixter AB do not backport any updates. | |
Rixter is using the Atlassian levels of the security rating | |
Our End of Life policy varies for different products. Please refer to the policy for details. |