The vulnerability has been scored as 7.1 (High) on CVSS 3.1 system:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:CWe have identified that the vulnerability has existed in the code since the very first version of EasyTime for Jira Cloud (published 3 July 2020). This vulnerability does not affect EasyTime for Jira Server or EasyTime for Jira Data Center apps.
Based on our investigations, this incident may have the following impacts on your instance:
- It is possible that a logged-in, ordinary, non-admin user was able to view the EasyTime configuration page, including the names of the tracked user groups, and the "ignore JQL" filter which may contain sensitive information e.g. the project keys of the otherwise locked down projects that ordinary users should not be aware of.
- It is possible that a logged-in, ordinary, non-admin user was able to view the names of other groups that exist in the system through the auto-complete feature of the tracked groups UI component. The JQL filter is validated under the user's privileges, so though they could have viewed what was already there, they wouldn't have been able to enumerate and see anything additional that they don't have permissions for already.
- It is possible that a logged-in, ordinary, non-admin user was able to update EasyTime's configuration changing the settings, including the tracked group list and the ignore JQL filter – thus widening or narrowing the scope of EasyTime in your instance, and behavior of our app.
- It is possible that a logged-in, ordinary, non-admin user was able to view the full name of the user who performed configuration of the Tempo Timesheets integration previously, thus revealing their admin status at the time of the configuration.
- It is possible that a logged-in, ordinary, non-admin user was able to alter the settings of the existing Tempo Timesheets integration, by revoking the existing integration token and recreating the integration under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
- It is possible that a logged-in, ordinary, non-admin user was able to integrate EasyTime with Tempo Timesheets under their own name. No data from your Jira would be sent anywhere but Tempo to their API endpoint. We are confident that no information about the actual work logs would be obtained by the attacker in this case.
Recommended further steps:
- Please review your EasyTime for Jira Cloud configuration to make sure no unintended changes have been made and that no sensitive data has been exposed.
- If the Tempo Timesheets integration has been authorized by a user, who is not an admin, note the user's Full Name shown, revoke the token, reconfigure with an admin user, and get in touch with us to get more information about this issue from our backend logs.
We want you to know that we take this issue very seriously. Please accept our sincere apologies for any inconvenience this may have caused. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers.
If you have any questions, please feel free to raise a support request via our Service Desk (
https://katara.techtime.org/jira/servicedesk/customer/portal/9), or chat on our website, or by replying to this notification email.