Notifyr Security Advisory 2021-01-15

Summary

January 2021 Notifyr for Bitbucket Server and Data Center Advisory - XSRF and vulnerabilities.

Advisory Release Date

15 Jan 2021 10:00 CET

Product

Notifyr - Notifications for Bitbucket Server
Notifyr - Notifcations for Bitbucket Data Center

Affected Notifyr for Bitbucket Server and Data Center Versions

  • All 1.x.x, 2.x.x, 3.x.x, 4.x.x, 5.x.x versions

  • All 4.5.x versions before 4.5.4

  • All 5.x.x versions before 5.3.0

Fixed Notifyr for Bitbucket Server and Data Center Versions

  • Version 4.5.4 for versions 1.x.x to 4.x.x

  • Version 5.3.0 for versions 5.x.x

Summary of Vulnerability

This advisory discloses critical severity security vulnerabilities in the Notifyr - Notifications for Bitbucket Server and Data Center versions listed above ("Affected Notifyr for Bitbucket Server and Data Center Versions").

Customers who have downloaded and installed any of the Notifyr for Bitbucket Server and Data Center versions listed above ("Affected Notifyr for Bitbucket Server and Data Center Versions") are affected.

Please upgrade your Notifyr for Bitbucket Server and Data Center installations immediately to fix this vulnerability.

Customers who have upgraded Notifyr for Bitbucket Server and Data Center to versions 4.5.4, 5.3.0, or higher are not affected.

Cross Site Request Forgery (CSRF) for certain administrator screens

Severity

ASK Software has given this vulnerability a critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Notifyr for Bitbucket Server and Data Center versions starting from 1.0.0 had a CSRF vulnerability for certain app-specific administrator screens. A remote attacker with permission to log on to the victim's Bitbucket Server or Data Center instance can exploit this vulnerability and change settings and configuration on the Bitbucket Server or Data Center systems. This only applies to settings and configuration specific for Notifyr.

Since Notifyr version 5.2.0 administrator access is required to exploit this vulnerability.

Acknowledgments

Credit for this finding goes to yeuchimse via the Bug Crowd program.

Inclusion of system files in Notifications

Severity

ASK Software has given this vulnerability a critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Notifyr for Bitbucket Server and Data Center versions starting from 5.0.0 had a vulnerability that allowed content of system files to be included in notifications. A remote attacker with administrative access to the victim's email template editor could include any file from the system in the templates and expose the content of these files.

This vulnerability works in conjunction with the previously mentioned vulnerability “Cross Site Request Forgery (CSRF) for certain administrator screens”

Acknowledgments

Credit for this finding goes to yeuchimse via the Bug Crowd program.


Fix

To address these issues, we have released Notifyr for Bitbucket Server and Data Center version:

  • 4.5.4 that contains a fix for these issues.

  • 5.3.0 that contains a fix for these issues.

These versions can be downloaded at https://marketplace.atlassian.com/apps/1211185/notifyr-notifications-for-bitbucket/version-history

What You Need to Do

ASK Software recommends that you upgrade to the latest version (5.3.0). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Notifyr for Bitbucket Server and Data Center from the Atlassian Marketplace.

Mitigation

There are no known workarounds so it's important to upgrade to a fixed version as soon as possible.

If you have questions or concerns regarding this advisory, please raise a support request at https://ask-software.atlassian.net/servicedesk.