SA-2023-11-28
Summary
This is a Security Advisory about about the following two vulnerabilities in S/Notify for Jira, S/Notify for Confluence and S/Notify for Bitbucket.
CSRF based vulnerability in S/Notify configuration pages
CVE-IDs: CVE-2023-50930 (Jira), CVE-2023-50931 (Bitbucket), CVE-2023-50932 (Confluence)
We would like to inform our clients about a CSRF (Cross Site Request Forgery) based vulnerability that has been found in the configuration of S/Notify.
You would be affected when on of the following conditions apply
you use S/Notify for Jira with Jira in a version before 9.0
you use S/Notify for Jira with Jira Service Management before 5.0
you use S/Notify for Confluence
you use S/Notify for Bitbucket
We recommend that you update S/Notify as soon as possible if you are affected
For further clarity, this vulnerability does not apply in any of the following cases:
you use S/Notify for Jira with in Jira in version 9.0 or newer 👍
you use S/Notify for Jira with Jira Service Management in version 5.0 or newer 👍
Description
While an administrative user is logged on, the configuration settings of S/Notify can be modified using a CSRF attack.
The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website.
Background
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With the help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
Business Impact
If executed while an administrator is logged on to Jira, Confluence or Bitbucket, an attacker could exploit the vulnerability to modify the configuration of the S/Notify app on that host. This can especially lead to email notifications being no longer encrypted when they should be.
Assessment
This vulnerability is considered severe according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 8.3 (high) rating in the Common Vulnerability Scoring System.
This vulnerability has been found in a penetration test by a security researcher. We have no reports or other indication of it being actively exploited.
Action
Affected versions
Versions up to and including 4.0.1 of S/Notify for Jira and Confluence, as well as versions up to and including 2.0.0 of S/Notify for Bitbucket must be considered affected.
Temporary Mitigation
Administrative users should logout of Jira, Confluence, or Bitbucket when they no longer need administrative access to the application. This effectively prevents the abuse of the vulnerability.
Permanent Fix
Download and install our fix releases where applicable
S/Notify for Jira 4.0.2
S/Notify for Confluence 4.0.2
S/Notify for Bitbucket 2.0.1
CSRF based vulnerability in user upload
CVE-IDs: CVE-2024-23734 (Bitbucket), CVE-2024-50936 (Confluence), CVE-2024-50937 (Jira)
We would like to inform our clients about a CSRF (Cross Site Request Forgery) based vulnerability that has been found in the upload functionality of the User Profile pages of S/Notify. It also affects the customer upload functionality in Jira Service Management.
You would be affected when one of the following conditions apply
you use S/Notify for Jira with Jira in a version before 9.0
and you have enabled users to upload their own S/MIME certificate or PGP keyyou use S/Notify for Jira with Jira Service Management in a version before 5.0
and you have enabled users to upload their own S/MIME certificate or PGP keyyou use S/Notify for Jira with Jira Service Management
and you have enabled customers to upload their own S/MIME certificate or PGP keyyou use S/Notify for Confluence
you use S/Notify for Bitbucket
For further clarity, this vulnerability does not apply in any of the following cases:
in Jira: you use Jira in version 9.0 or newer 👍
in Jira, Confluence, or Bitbucket: you have not enabled users to upload their own S/MIME certificate or PGP key 👍
in Jira Service Management: you have not enabled users nor customers to upload their own S/MIME certificate or PGP key 👍
in Jira Service Management: you use Jira Service Management in version 5.0 or newer
and you have not enabled customers to upload their own S/MIME certificate or PGP key 👍
Description
While a user is logged on, the user’s or customer’s S/MIME certificate or PGP key can be added/replaced or removed using a CSRF attack. To replace an S/MIME certificate or PGP key, it must be specifically drafted to match the user’s email address.
The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.
Background
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With the help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
Business Impact
If executed while the user is logged on to Jira, Confluence or Bitbucket, an attacker could exploit the vulnerability to upload a specifically crafted S/MIME certificate or PGP key for the user, which would then be used to encrypt the email to that user. However, since this modification would lead to the user no longer being able to decrypt and read their notifications, the attack would not go unnoticed for long.
We therefore consider the impact of this vulnerability to be very limited.
Assessment
The severity of this vulnerability is considered low according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 3.1 (low) rating in the Common Vulnerability Scoring System.
This vulnerability has been found and verified within our own test environment. We have no reports or other indication of it being actively exploited.
Action
Affected versions
Versions up to and including 4.0.1 of S/Notify for Jira and Confluence, as well as versions up to and including 2.0.0 of S/Notify for Bitbucket must be considered affected.
Temporary Mitigation
If feasible, disable the user and/or customer upload functionality. This effectively removes the vulnerability.
Permanent Fix
Download and install our fix releases where applicable
S/Notify for Jira 4.0.2
S/Notify for Confluence 4.0.2
S/Notify for Bitbucket 2.0.1