Security Advisory (Low) - 10th July 2023

Owned by Daniel Wester
Jul 11, 2023
2 min read

This advisory discloses a low severity security vulnerability in the Koppa for Jira Cloud app. All versions of this plugin before version 4.51.0 are affected by this vulnerability.

If you do have this plugin installed in your Jira cloud, upgrade your installations to version 4.51.0 at your earliest convenience to fix this vulnerability.

Verification of api token not consistently made when ingesting content

Severity

We rate the severity level of this vulnerability as low, according to the scale published in  Atlassian’s severity levels. The scale allows us to rank the severity as critical, high, medium, or low and is based on the CVSS vulnerability metric. You can learn more about CVSS at  FIRST.org.

This is our assessment, and you should evaluate its applicability to your own IT environment.

Description

The ingestion point was not verifying the api tokens when new data was submitted. This meant that a actor could submit incorrect data to the Koppla instance if the project id and the webhook url was known. At no point would the actor be able to read any data. At no point would the actor be able to access any Jira data.

This vulnerability affects all versions up to and including 4.51.0. 

Acknowledgements

Thanks to lopseg for finding and reporting this vulnerability via our Bug Bounty program hosted through BugCrowd.

Fix

We have taken the following steps to address this issue:

Released version 4.51.0 that contains a fix for this issue.

What You Need to Do

Check whether your Jira server/DC instance has the vulnerable plugin installed or not. To do this, go to your applications and search for “Koppla” plugin. If it is installed, check the version. If the version is less than 4.51.0, then the instance is vulnerable.

Upgrade to the latest version. Details on how to update apps can be found  here.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our support desk.