Inbox for Jira app - Marketplace download version:
All 4.2.x versions
All 5.x.x up to 5.0.2 versions
Fixed versions - Inbox for Jira Marketplace App
Summary of vulnerability
This advisory discloses a critical severity security vulnerability in versions of the Inbox for Jira app prior to 5.0.3.
Customers who have upgraded to Inbox for Jira version 5.0.3 aren't affected.
If you've downloaded and installed any versions listed in the Affected versions section, you must upgrade your installations to fix this vulnerability.
Vulnerability 2: Lack of privilege separation
Rixter AB rates the severity level of this vulnerability as critical, according to the scale published in Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
The endpoint /rest/inbox/1.0/settings/global responsible for changing the global settings does not validate whether the user is an admin or not. This allows any arbitrary user to modify the global settings.