Release 1.5.1-AC: Critical security vulnerability announcement (CG-276)

Owned by Rina Nir _RadBee
Last updated: May 04, 2021

Announcement about a vulnerability which was fixed on the 4th May 2021 (by release 1.5.1-AC)

Hello,

We are writing to inform you of a security vulnerability that was recently identified in the Speedy PDF Sign-Offs for Jira . The vulnerability affects all versions up to 1.4.11-AC (which was effective up tp 4th May 2021) of the Speedy PDF Sign-Offs for Jira developed by us. The vulnerability means this:

  1. Was existing from the launch of the App until the 4th of May 2021.

  2. Could be exploited by:

    1.  non-users if Jira Service Management is installed, and configured with this option:

      1.  Can customers access and send requests from the help center without logging in? on yes

    2. Could be exploited by Jira users (of this instance).

  3. When exploited, could lead to:

    1. Retrieving Speedy PDF exports of issues (without access permission)

    2. Get access to the external storage (Google drive) where Speedy PDF files are stored.

This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was identified by a researcher of the Atlassian Marketplace Bug Bounty Program. Once we became aware of the issue, we performed a critical review our App for the reported scenario, as well as related and similar scenarios. Based on what we found, we fixed the vulnerability in our code and have tested all identified scenarios,  to ensure that this vulnerability is now fixed.

Based on our investigations, the vulnerability is not likely to have had any impacts on you.

We updated the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability. No further action is required from you at this point.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at at our support desk referencing CG-267

Sincerely,

Rina Nir

CEO