Update - The vulnerability has been scored as 7.1 (High) on CVSS 3.1 system: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:C
We have identified that the vulnerability has existed in the code since the very first version of EasyTime for Jira Cloud (published 3 July 2020). This vulnerability does not affect EasyTime for Jira Server or EasyTime for Jira Data Center apps.
Based on our investigations, this incident may have the following impacts on your instance:
- It is possible that a logged-in, ordinary, non-admin user was able to view the EasyTime configuration page, including the names of the tracked user groups, and the "ignore JQL" filter which may contain sensitive information e.g. the project keys of the otherwise locked down projects that ordinary users should not be aware of.
- It is possible that a logged-in, ordinary, non-admin user was able to view the names of other groups that exist in the system through the auto-complete feature of the tracked groups UI component. The JQL filter is validated under the user's privileges, so though they could have viewed what was already there, they wouldn't have been able to enumerate and see anything additional that they don't have permissions for already.
- It is possible that a logged-in, ordinary, non-admin user was able to update EasyTime's configuration changing the settings, including the tracked group list and the ignore JQL filter – thus widening or narrowing the scope of EasyTime in your instance, and behavior of our app.
- It is possible that a logged-in, ordinary, non-admin user was able to view the full name of the user who performed configuration of the Tempo Timesheets integration previously, thus revealing their admin status at the time of the configuration.
- It is possible that a logged-in, ordinary, non-admin user was able to alter the settings of the existing Tempo Timesheets integration, by revoking the existing integration token and recreating the integration under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
- It is possible that a logged-in, ordinary, non-admin user was able to integrate EasyTime with Tempo Timesheets under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
Recommended further steps:
- Please review your EasyTime for Jira Cloud configuration to make sure no unintended changes have been made and that no sensitive data has been exposed.
- If the Tempo Timesheets integration has been authorized by a user, who is not an admin, note the user's Full Name shown, revoke the token, reconfigure with an admin user, and get in touch with us to get more information about this issue from our backend logs.
We want you to know that we take this issue very seriously. Please accept our sincere apologies for any inconvenience this may have caused. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers.
If you have any questions, please feel free to raise a support request via our Service Desk (https://katara.techtime.org/jira/servicedesk/customer/portal/9), or chat on our website, or by replying to this notification email.
Jan 20, 13:20 NZDT
We have identified that the vulnerability has existed in the code since the very first version of EasyTime for Jira Cloud (published 3 July 2020). This vulnerability does not affect EasyTime for Jira Server or EasyTime for Jira Data Center apps.
Based on our investigations, this incident may have the following impacts on your instance:
- It is possible that a logged-in, ordinary, non-admin user was able to view the EasyTime configuration page, including the names of the tracked user groups, and the "ignore JQL" filter which may contain sensitive information e.g. the project keys of the otherwise locked down projects that ordinary users should not be aware of.
- It is possible that a logged-in, ordinary, non-admin user was able to view the names of other groups that exist in the system through the auto-complete feature of the tracked groups UI component. The JQL filter is validated under the user's privileges, so though they could have viewed what was already there, they wouldn't have been able to enumerate and see anything additional that they don't have permissions for already.
- It is possible that a logged-in, ordinary, non-admin user was able to update EasyTime's configuration changing the settings, including the tracked group list and the ignore JQL filter – thus widening or narrowing the scope of EasyTime in your instance, and behavior of our app.
- It is possible that a logged-in, ordinary, non-admin user was able to view the full name of the user who performed configuration of the Tempo Timesheets integration previously, thus revealing their admin status at the time of the configuration.
- It is possible that a logged-in, ordinary, non-admin user was able to alter the settings of the existing Tempo Timesheets integration, by revoking the existing integration token and recreating the integration under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
- It is possible that a logged-in, ordinary, non-admin user was able to integrate EasyTime with Tempo Timesheets under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
Recommended further steps:
- Please review your EasyTime for Jira Cloud configuration to make sure no unintended changes have been made and that no sensitive data has been exposed.
- If the Tempo Timesheets integration has been authorized by a user, who is not an admin, note the user's Full Name shown, revoke the token, reconfigure with an admin user, and get in touch with us to get more information about this issue from our backend logs.
We want you to know that we take this issue very seriously. Please accept our sincere apologies for any inconvenience this may have caused. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers.
If you have any questions, please feel free to raise a support request via our Service Desk (https://katara.techtime.org/jira/servicedesk/customer/portal/9), or chat on our website, or by replying to this notification email.
Jan 20, 13:20 NZDT
Monitoring - We are awaiting triage results from the Bug Bounty program to further classify this incident and notify customers accordingly
Jan 18, 17:28 NZDT
Jan 18, 17:28 NZDT
Identified - We have reproduced the issue and identified a permission check that was returning an incorrect result, produced a fix and deployed a fixed version of the code to our cloud hosting.
Jan 18, 14:30 NZDT
Jan 18, 14:30 NZDT
Investigating - We have a report from security researcher in our Bug Bounty program that there is a vulnerability in EasyTime for Jira Cloud that allows a logged in non-admin user access the app's configuration screen (intended to be admin only), view and change configuration, including the settings of the integration with Tempo Timesheets.
Jan 18, 08:00 NZDT
Jan 18, 08:00 NZDT
TechTime Service Desk
?
Operational
API
Operational
ScriptRunner in Atlassian Cloud
Operational
TechTime Server Apps
Operational
EasySSO for Jira Server
?
Operational
EasySSO for Confluence Server
?
Operational
EasySSO for Bitbucket Server
?
Operational
EasySSO for Bamboo Server
?
Operational
EasySSO for Fisheye/Crucible Server
?
Operational
EasyPage for Confluence
?
Operational
EasySEO for Confluence
?
Operational
UserManagement for Jira Server
?
Operational
UserManagement for Confluence Server
?
Operational
UserManagement for Bitbucket Server
?
Operational
SpaceUnZip for Confluence Server
?
Operational
EasyQRLink for Confluence Server
?
Operational
TechTime Data Center Apps
Operational
EasySSO for Bitbucket Data Center
?
Operational
EasySSO for Jira Data Center
?
Operational
EasySSO for Confluence Data Center
?
Operational
UserManagement for Jira Data Center
?
Operational
UserManagement for Confluence Data Center
?
Operational
UserManagement for Bitbucket Data Center
?
Operational
TechTime Cloud Apps
Operational
GoogleMaps Embed macro in Atlassian Cloud
?
Operational
EasyTime for Jira Cloud
?
Operational
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Major outage
Partial outage
No downtime recorded on this day.
No data exists for this day.
had a major outage.
had a partial outage.