Skip to main content
Skip table of contents

SA-2023-11-28

Summary

This is a Security Advisory about about the following two vulnerabilities in S/Notify for Jira, S/Notify for Confluence and S/Notify for Bitbucket.

CSRF based vulnerability in S/Notify configuration pages

CVE-IDs: CVE-2023-50930 (Jira), CVE-2023-50931 (Bitbucket), CVE-2023-50932 (Confluence)

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based vulnerability that has been found in the configuration of S/Notify.

You would be affected when on of the following conditions apply

  • you use S/Notify for Jira with Jira in a version before 9.0

  • you use S/Notify for Jira with Jira Service Management before 5.0

  • you use S/Notify for Confluence

  • you use S/Notify for Bitbucket

We recommend that you update S/Notify as soon as possible if you are affected

For further clarity, this vulnerability does not apply in any of the following cases:

  • you use S/Notify for Jira with in Jira in version 9.0 or newer 👍

  • you use S/Notify for Jira with Jira Service Management in version 5.0 or newer 👍

Description

While an administrative user is logged on, the configuration settings of S/Notify can be modified using a CSRF attack.

The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website.

Background

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With the help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

Business Impact

If executed while an administrator is logged on to Jira, Confluence or Bitbucket, an attacker could exploit the vulnerability to modify the configuration of the S/Notify app on that host. This can especially lead to email notifications being no longer encrypted when they should be.

Assessment

This vulnerability is considered severe according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 8.3 (high) rating in the Common Vulnerability Scoring System.

This vulnerability has been found in a penetration test by a security researcher. We have no reports or other indication of it being actively exploited.

Action

Affected versions

Versions up to and including 4.0.1 of S/Notify for Jira and Confluence, as well as versions up to and including 2.0.0 of S/Notify for Bitbucket must be considered affected.

Temporary Mitigation

Administrative users should logout of Jira, Confluence, or Bitbucket when they no longer need administrative access to the application. This effectively prevents the abuse of the vulnerability.

Permanent Fix

Download and install our fix releases where applicable

  • S/Notify for Jira 4.0.2

  • S/Notify for Confluence 4.0.2

  • S/Notify for Bitbucket 2.0.1

CSRF based vulnerability in user upload

CVE-IDs: CVE-2024-23734 (Bitbucket), CVE-2024-23736 (Confluence), CVE-2024-23737 (Jira)

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based vulnerability that has been found in the upload functionality of the User Profile pages of S/Notify. It also affects the customer upload functionality in Jira Service Management.

You would be affected when one of the following conditions apply

  • you use S/Notify for Jira with Jira in a version before 9.0
    and you have enabled users to upload their own S/MIME certificate or PGP key

  • you use S/Notify for Jira with Jira Service Management in a version before 5.0
    and you have enabled users to upload their own S/MIME certificate or PGP key

  • you use S/Notify for Jira with Jira Service Management
    and you have enabled customers to upload their own S/MIME certificate or PGP key

  • you use S/Notify for Confluence

  • you use S/Notify for Bitbucket

For further clarity, this vulnerability does not apply in any of the following cases:

  • in Jira: you use Jira in version 9.0 or newer 👍

  • in Jira, Confluence, or Bitbucket: you have not enabled users to upload their own S/MIME certificate or PGP key 👍

  • in Jira Service Management: you have not enabled users nor customers to upload their own S/MIME certificate or PGP key 👍

  • in Jira Service Management: you use Jira Service Management in version 5.0 or newer
    and you have not enabled customers to upload their own S/MIME certificate or PGP key 👍

Description

While a user is logged on, the user’s or customer’s S/MIME certificate or PGP key can be added/replaced or removed using a CSRF attack. To replace an S/MIME certificate or PGP key, it must be specifically drafted to match the user’s email address.

The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.

Background

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With the help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

Business Impact

If executed while the user is logged on to Jira, Confluence or Bitbucket, an attacker could exploit the vulnerability to upload a specifically crafted S/MIME certificate or PGP key for the user, which would then be used to encrypt the email to that user. However, since this modification would lead to the user no longer being able to decrypt and read their notifications, the attack would not go unnoticed for long.

We therefore consider the impact of this vulnerability to be very limited.

Assessment

The severity of this vulnerability is considered low according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 3.1 (low) rating in the Common Vulnerability Scoring System.

This vulnerability has been found and verified within our own test environment. We have no reports or other indication of it being actively exploited.

Action

Affected versions

Versions up to and including 4.0.1 of S/Notify for Jira and Confluence, as well as versions up to and including 2.0.0 of S/Notify for Bitbucket must be considered affected.

Temporary Mitigation

If feasible, disable the user and/or customer upload functionality. This effectively removes the vulnerability.

Permanent Fix

Download and install our fix releases where applicable

  • S/Notify for Jira 4.0.2

  • S/Notify for Confluence 4.0.2

  • S/Notify for Bitbucket 2.0.1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.