2024-09 - P1 - Cloud - Unauthorized Data Leakage in Jira Service Desk via Microsoft To-Do Integration

Summary

In theory, any authorized Jira Service Management customer user would’ve had the ability to create a To-Do sync that creates a new Task for all service requests in their own To-Do list by crafting multiple request against our internal API. This synchronization includes the most essential field details: title, summary and due date of the service request. The issue has been resolved. No action is required from our customers. We haven’t identified any attempt to exploit this issue.

Prerequisites

• Using Jira Service Management Cloud

• Using our app Microsoft 365 for Jira with To Do feature activated or using Microsoft To Do for Jira in a JSM project

Vulnerability Details

There was a bug in how to interpret the Atlassian JWT information (Broken Access Control) on our servers. Customer users with deep technical knowledge, would have been able to craft an Atlassian JWT with a valid “projectId” for our app - something our apps did not anticipate and that allowed to configure the invalid To Do synchronization via the API.

Resolution

We quickly identified the issue that leads to this behavior and were able to fix it in a matter of days. No The broken access control on the API has been fixed in our API service.

We checked all existing To Do synchronizations for suspicious configurations:

• synchronizations by customer users

• synchronizations into a different Microsoft tenant.

No suspicious To Do synchronization have been found and we have no further evidence that this has been exploited.

Credit

We want to thank the security researcher Lopseg for bringing this to our attention.

For further information or assistance, please contact our support team