Important security fix for ScriptRunner for Confluence. Please read.

We are writing to inform you of a security vulnerability recently identified in ScriptRunner for Confluence Server and Data Center. The vulnerability affects all versions of ScriptRunner for Confluence from version 5.1.7 to version 5.6.15 (inclusive)

About the vulnerability

This is a remote code execution vulnerability. A malicious authenticated Confluence user could exploit it to run arbitrary code inside the Confluence instance.

This vulnerability has been rated as Critical according to Atlassian's Severity Levels for Security Issues and was identified as part of an internal security audit of our source code. Once we became aware of the issue, analysis and work towards finding a fix started immediately.

Based on our investigations, we have not found any instances of this vulnerability being exploited.

How to fix the vulnerability

If you are using Confluence 6.6.0 through Confluence 7.0.x, upgrade immediately to ScriptRunner for Confluence version 5.6.16 or higher.

If you are using Confluence 7.1 or higher upgrade immediately to ScriptRunner for Confluence version 5.6.16.1-p5 or higher.

Workaround

We strongly recommend you immediately upgrade your ScriptRunner for Confluence. If you are not able to upgrade immediately, please use this workaround as a temporary solution.

For more details, please read the ticket SRCONF-1097.

If you have any questions, please raise a support request referencing SRCONF-1097.

Sincerely,

Adaptavist Apps Team

Dear User,

This email is to inform you that a security vulnerability has been discovered in Email This Issue for Jira. Below we aim to share more about the vulnerability and how it can be fixed or temporarily bypassed with a workaround.

About the vulnerability

The vulnerability has been discovered affecting the Email audit log and its items in all versions of the app.  It allows the attacker to inject a persistent cross-site scripting method, which allows the individual to exploit the vulnerability.

The potential threat arises from expanding the Email details in the Email Audit Log and clicking on the malicous links. Therefore we recommend you take extra care opening the body of the emails and clicking the links in the Emails shown in the issue screen or in the Email Audit Log under the app's administration page until the app is updated to the latest version.

Below is an exact example with a screenshot:
https://aday.news/site/assets/files/1036/email-this-issue-screenshot.png (24 kB)

This threat is only present in incoming emails, outgoing emails are not affected. Therefore if you are not using Email This Issue's mail handler for incoming email processing, you are safe.

Once we became aware of the vulnerability, we considered our options and fixed it immediately.

How to fix the vulnerability  

If you are using version 8.0.0 of the application

Vulnerability enhancement does not include new features and requires no further action on your part. Upgrade to 8.0.1 as usual and let us know if you notice anything unusual.

If you are using version 7.1.5 of the application

You can safely upgrade to version 8.0.1.
8.0.0 contains two major enhancements, but it does not explicitly affect current configurations.

If you are using an older version of the application

We recommend that you upgrade to the latest version, but read the release notes carefully and check your system first.

The official instructions for updating the application are available on the Atlassian support page ( https://confluence.atlassian.com/upm/updating-apps-273875710.html).

Workaround

If you are unable to update Email This Issue for Jira to version 8.0.1, please follow the below steps as a temporary workaround:

1. Navigate to Email This Issue administration’s General Configuration
2. Select „Hide” in the Email Audit Log’s dropdown menu.

Note that this workaround can be applied to versions 5.3 or higher.

As a result, no users will be able to see the Emails tab on the bottom of the issue page (hence the ability to click on any links is eliminated).
Administrator users will still be able to browse the email audit log in Email This Issue’s administration page.

If you have any questions, please raise a support request referencing „SA-20201” in the summary or send us an email to support@metainf.atlassian.net and include „SA-20201” in the subject.

Kind regards,
The META-INF Team