Update - The vulnerability has been scored as 7.1 (High) on CVSS 3.1 system: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:C

We have identified that the vulnerability has existed in the code since the very first version of EasyTime for Jira Cloud (published 3 July 2020). This vulnerability does not affect EasyTime for Jira Server or EasyTime for Jira Data Center apps.

Based on our investigations, this incident may have the following impacts on your instance:

- It is possible that a logged-in, ordinary, non-admin user was able to view the EasyTime configuration page, including the names of the tracked user groups, and the "ignore JQL" filter which may contain sensitive information e.g. the project keys of the otherwise locked down projects that ordinary users should not be aware of.
- It is possible that a logged-in, ordinary, non-admin user was able to view the names of other groups that exist in the system through the auto-complete feature of the tracked groups UI component. The JQL filter is validated under the user's privileges, so though they could have viewed what was already there, they wouldn't have been able to enumerate and see anything additional that they don't have permissions for already.
- It is possible that a logged-in, ordinary, non-admin user was able to update EasyTime's configuration changing the settings, including the tracked group list and the ignore JQL filter – thus widening or narrowing the scope of EasyTime in your instance, and behavior of our app.
- It is possible that a logged-in, ordinary, non-admin user was able to view the full name of the user who performed configuration of the Tempo Timesheets integration previously, thus revealing their admin status at the time of the configuration.
- It is possible that a logged-in, ordinary, non-admin user was able to alter the settings of the existing Tempo Timesheets integration, by revoking the existing integration token and recreating the integration under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
- It is possible that a logged-in, ordinary, non-admin user was able to integrate EasyTime with Tempo Timesheets under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.

Recommended further steps:

- Please review your EasyTime for Jira Cloud configuration to make sure no unintended changes have been made and that no sensitive data has been exposed.
- If the Tempo Timesheets integration has been authorized by a user, who is not an admin, note the user's Full Name shown, revoke the token, reconfigure with an admin user, and get in touch with us to get more information about this issue from our backend logs.

We want you to know that we take this issue very seriously. Please accept our sincere apologies for any inconvenience this may have caused. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers.

If you have any questions, please feel free to raise a support request via our Service Desk (https://katara.techtime.org/jira/servicedesk/customer/portal/9), or chat on our website, or by replying to this notification email.
Jan 20, 13:20 NZDT
Monitoring - We are awaiting triage results from the Bug Bounty program to further classify this incident and notify customers accordingly
Jan 18, 17:28 NZDT
Identified - We have reproduced the issue and identified a permission check that was returning an incorrect result, produced a fix and deployed a fixed version of the code to our cloud hosting.
Jan 18, 14:30 NZDT
Investigating - We have a report from security researcher in our Bug Bounty program that there is a vulnerability in EasyTime for Jira Cloud that allows a logged in non-admin user access the app's configuration screen (intended to be admin only), view and change configuration, including the settings of the integration with Tempo Timesheets.
Jan 18, 08:00 NZDT
TechTime Service Desk ? Operational
90 days ago
100.0 % uptime
Today
API Operational
90 days ago
100.0 % uptime
Today
ScriptRunner in Atlassian Cloud Operational
90 days ago
100.0 % uptime
Today
TechTime Server Apps Operational
90 days ago
99.92 % uptime
Today
EasySSO for Jira Server ? Operational
90 days ago
99.12 % uptime
Today
EasySSO for Confluence Server ? Operational
90 days ago
100.0 % uptime
Today
EasySSO for Bitbucket Server ? Operational
90 days ago
100.0 % uptime
Today
EasySSO for Bamboo Server ? Operational
90 days ago
100.0 % uptime
Today
EasySSO for Fisheye/Crucible Server ? Operational
90 days ago
100.0 % uptime
Today
EasyPage for Confluence ? Operational
90 days ago
100.0 % uptime
Today
EasySEO for Confluence ? Operational
90 days ago
100.0 % uptime
Today
UserManagement for Jira Server ? Operational
90 days ago
100.0 % uptime
Today
UserManagement for Confluence Server ? Operational
90 days ago
100.0 % uptime
Today
UserManagement for Bitbucket Server ? Operational
90 days ago
100.0 % uptime
Today
SpaceUnZip for Confluence Server ? Operational
90 days ago
100.0 % uptime
Today
EasyQRLink for Confluence Server ? Operational
90 days ago
100.0 % uptime
Today
TechTime Data Center Apps Operational
90 days ago
99.85 % uptime
Today
EasySSO for Bitbucket Data Center ? Operational
90 days ago
100.0 % uptime
Today
EasySSO for Jira Data Center ? Operational
90 days ago
99.12 % uptime
Today
EasySSO for Confluence Data Center ? Operational
90 days ago
100.0 % uptime
Today
UserManagement for Jira Data Center ? Operational
90 days ago
100.0 % uptime
Today
UserManagement for Confluence Data Center ? Operational
90 days ago
100.0 % uptime
Today
UserManagement for Bitbucket Data Center ? Operational
90 days ago
100.0 % uptime
Today
TechTime Cloud Apps Operational
90 days ago
100.0 % uptime
Today
GoogleMaps Embed macro in Atlassian Cloud ? Operational
90 days ago
100.0 % uptime
Today
EasyTime for Jira Cloud ? Operational
90 days ago
100.0 % uptime
Today
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Major outage
Partial outage
No downtime recorded on this day.
No data exists for this day.
had a major outage.
had a partial outage.
Past Incidents
Jan 28, 2021

No incidents reported today.

Jan 27, 2021

No incidents reported.

Jan 26, 2021

No incidents reported.

Jan 25, 2021

No incidents reported.

Jan 24, 2021

No incidents reported.

Jan 23, 2021

No incidents reported.

Jan 22, 2021

No incidents reported.

Jan 21, 2021

No incidents reported.

Jan 20, 2021

Unresolved incident: Privilege Escalation in EasyTime for Jira Cloud configuration screen.

Jan 19, 2021

No incidents reported.

Jan 18, 2021
Jan 17, 2021

No incidents reported.

Jan 16, 2021

No incidents reported.

Jan 15, 2021

No incidents reported.

Jan 14, 2021

No incidents reported.