Second vulnerability notification: Process Management Suite for Confluence

Summary

XSRF and IDOR vulnerabilities in Process Management Suite for Confluence

Advisory Release Date

17 November 2020

Product

Process Management Suite for Confluence

Affected Versions

all Process Management Suite for Confluence versions until 3.1.3

Fixed Version

3.1.4

Problem

We were able to identify cross-site request forgery (also known as XSRF or CSRF) and insecure direct object references (IDOR) vulnerabilities in our Metadata for Confluence app. The details of the vulnerabilities are described in a separate blog post.

Since our Process Management Suite for Confluence app bundles Metadata for Confluence, it is also affected by these security issues.

Depending on the way the Metadata app is used in Confluence, the XSRF and IDOR vulnerabilities have to be rated as P2 (High) or P3 (Medium) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

All Process Management Suite for Confluence versions until 3.1.3 are affected.

Solution

If you are using an affected version of Process Management Suite for Confluence, please immediately upgrade to version 3.1.4.

Root Cause

Some of Metadata’s writing operations were missing appropriate measures to prevent cross-site request forgery attacks.

In regard to the IDOR vulnerabilities, Metadata had incomplete permission checks for some of its operations. In such cases users were able to exploit the vulnerabilities by providing a content ID to the affected Metadata endpoints that has been guessed, brute-forced or obtained by other means.

To address the problem we resolved the issues in Metadata for Confluence and bundled the fixed version in our Process Management Suite for Confluence app.