Notifyr Security Advisory 2021-01-15
- Stefan Kohler
Summary | January 2021 Notifyr for Bitbucket Server and Data Center Advisory - XSRF and vulnerabilities. |
|---|---|
Advisory Release Date | 15 Jan 2021 10:00 CET |
Product | Notifyr - Notifications for Bitbucket Server |
Affected Notifyr for Bitbucket Server and Data Center Versions |
|
Fixed Notifyr for Bitbucket Server and Data Center Versions |
|
Summary of Vulnerability
This advisory discloses critical severity security vulnerabilities in the Notifyr - Notifications for Bitbucket Server and Data Center versions listed above ("Affected Notifyr for Bitbucket Server and Data Center Versions").
Customers who have downloaded and installed any of the Notifyr for Bitbucket Server and Data Center versions listed above ("Affected Notifyr for Bitbucket Server and Data Center Versions") are affected.
Please upgrade your Notifyr for Bitbucket Server and Data Center installations immediately to fix this vulnerability.
Customers who have upgraded Notifyr for Bitbucket Server and Data Center to versions 4.5.4, 5.3.0, or higher are not affected.
Cross Site Request Forgery (CSRF) for certain administrator screens
Severity
ASK Software has given this vulnerability a critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Notifyr for Bitbucket Server and Data Center versions starting from 1.0.0 had a CSRF vulnerability for certain app-specific administrator screens. A remote attacker with permission to log on to the victim's Bitbucket Server or Data Center instance can exploit this vulnerability and change settings and configuration on the Bitbucket Server or Data Center systems. This only applies to settings and configuration specific for Notifyr.
Since Notifyr version 5.2.0 administrator access is required to exploit this vulnerability.
Acknowledgments
Credit for this finding goes to yeuchimse via the Bug Crowd program.
Inclusion of system files in Notifications
Severity
ASK Software has given this vulnerability a critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Notifyr for Bitbucket Server and Data Center versions starting from 5.0.0 had a vulnerability that allowed content of system files to be included in notifications. A remote attacker with administrative access to the victim's email template editor could include any file from the system in the templates and expose the content of these files.
This vulnerability works in conjunction with the previously mentioned vulnerability “Cross Site Request Forgery (CSRF) for certain administrator screens”
Acknowledgments
Credit for this finding goes to yeuchimse via the Bug Crowd program.
Fix
To address these issues, we have released Notifyr for Bitbucket Server and Data Center version:
4.5.4 that contains a fix for these issues.
5.3.0 that contains a fix for these issues.
These versions can be downloaded at https://marketplace.atlassian.com/apps/1211185/notifyr-notifications-for-bitbucket/version-history
What You Need to Do
ASK Software recommends that you upgrade to the latest version (5.3.0). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Notifyr for Bitbucket Server and Data Center from the Atlassian Marketplace.
Mitigation
There are no known workarounds so it's important to upgrade to a fixed version as soon as possible.
If you have questions or concerns regarding this advisory, please raise a support request at https://ask-software.atlassian.net/servicedesk.