We have identified that the vulnerability has existed in the code since the very first version of EasyTime for Jira Cloud (published 3 July 2020). This vulnerability does not affect EasyTime for Jira Server or EasyTime for Jira Data Center apps.
Based on our investigations, this incident may have the following impacts on your instance:
- It is possible that a logged-in, ordinary, non-admin user was able to view the EasyTime configuration page, including the names of the tracked user groups, and the "ignore JQL" filter which may contain sensitive information e.g. the project keys of the otherwise locked down projects that ordinary users should not be aware of. - It is possible that a logged-in, ordinary, non-admin user was able to view the names of other groups that exist in the system through the auto-complete feature of the tracked groups UI component. The JQL filter is validated under the user's privileges, so though they could have viewed what was already there, they wouldn't have been able to enumerate and see anything additional that they don't have permissions for already. - It is possible that a logged-in, ordinary, non-admin user was able to update EasyTime's configuration changing the settings, including the tracked group list and the ignore JQL filter – thus widening or narrowing the scope of EasyTime in your instance, and behavior of our app. - It is possible that a logged-in, ordinary, non-admin user was able to view the full name of the user who performed configuration of the Tempo Timesheets integration previously, thus revealing their admin status at the time of the configuration. - It is possible that a logged-in, ordinary, non-admin user was able to alter the settings of the existing Tempo Timesheets integration, by revoking the existing integration token and recreating the integration under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case. - It is possible that a logged-in, ordinary, non-admin user was able to integrate EasyTime with Tempo Timesheets under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
Recommended further steps:
- Please review your EasyTime for Jira Cloud configuration to make sure no unintended changes have been made and that no sensitive data has been exposed. - If the Tempo Timesheets integration has been authorized by a user, who is not an admin, note the user's Full Name shown, revoke the token, reconfigure with an admin user, and get in touch with us to get more information about this issue from our backend logs.
We want you to know that we take this issue very seriously. Please accept our sincere apologies for any inconvenience this may have caused. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers.
We are awaiting triage results from the Bug Bounty program to further classify this incident and notify customers accordingly
Posted Jan 18, 2021 - 17:28 NZDT
Identified
We have reproduced the issue and identified a permission check that was returning an incorrect result, produced a fix and deployed a fixed version of the code to our cloud hosting.
Posted Jan 18, 2021 - 14:30 NZDT
Investigating
We have a report from security researcher in our Bug Bounty program that there is a vulnerability in EasyTime for Jira Cloud that allows a logged in non-admin user access the app's configuration screen (intended to be admin only), view and change configuration, including the settings of the integration with Tempo Timesheets.
Posted Jan 18, 2021 - 08:00 NZDT
This incident affected: TechTime Cloud Apps (EasyTime for Jira Cloud).