Vulnerability of 2.7.38-AC and earlier versions of the Recurring Tasks

Owned by Pedro Fresco
Last updated: May 18, 2021 by Mario Thor

The vulnerability could affect only JIRA instances where anonymous access was configured. 

 

Hello,

We are writing to inform you of a security vulnerability that was recently identified in the Recurring Tasks for Jira Cloud . 

 

The vulnerability was identified in 2.7.38-AC and earlier versions of the Recurring Tasks developed by us. The vulnerability means that if the Jira administrator allows anonymous users access to one of Jira projects then anonymous users may create and modify other users' recurring tasks in certain situations. 


This vulnerability has been rated as critical according to the scale published on the Common Vulnerability Scoring System (CVSS).

 

The vulnerability was identified by the vulnerability disclosure program for Marketplace apps. Once we became aware of the issue, we reviewed code, examined the database, checked the application’s log files and identified the root cause of the issue. Based on what we found, we were able to identify where the root cause was and implement changes to our product to fix the vulnerability.


Based on our investigations, the vulnerability is not likely to have had any impacts on your JIRA instance.

 

We’ve already updated the application in the Atlassian cloud environment with a new version that is free from this vulnerability. No further action is required from you at this point. 


We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers. Please accept our sincere apologies for any inconvenience this may have caused.


If you have any questions please feel free to raise a support request at support@gebsun.com

 

Sincerely,

Mario Thor

Gebsun Software