Permission check missing in SpaceUnZip actions
Incident Report for TechTime Initiative Group
Resolved
This incident has been resolved.
Posted Apr 14, 2020 - 14:48 NZST
Update
New version 1.1.5 has been released to Atlassian Marketplace:
https://marketplace.atlassian.com/apps/744299/techtime-spaceunzip/version-history#b100100500
Posted Apr 14, 2020 - 14:47 NZST
Identified
We have confirmed a vulnerability exists. The only way to mitigate the vulnerability for now is to disable SpaceUnZip system-wide.

Credit: Ioannis Oikonomou
Vulnerability rated as: 3.4 (Low)
Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:F/RL:U/RC:C
Posted Apr 09, 2020 - 10:00 NZST
Investigating
We received a report that a user who has read-only access to a space is able to click on SpaceUnZip link in attachments and unzip files within the space, thus creating new pages.
Posted Apr 09, 2020 - 07:45 NZST
This incident affected: TechTime Server Apps (SpaceUnZip for Confluence Server).