Cloud security updates

Owned by Anand Inamdar
Last updated: Nov 19, 2020
3 min read

Amoeboids is a Gold marketplace partner with Atlassian. One of the prerequisites in earning the metal badge is participation in the Bug bounty program.

This page consolidates all the vulnerabilities that we have been made aware of - either through our own testing or via Bug bounty programs or from any other third party. Intent is to keep our customers up to date about any security events & ensure transparent communication.

We are writing to inform you of a vulnerability in Automated Release Notes & Automated Release Notes (Free) apps that inadvertently exposed your data to authenticated users. The vulnerability affected cloud versions of the said apps from 17th July 2020 to 18th November 2020.

The vulnerability was brought to our notice on 17 November 2020 by a researcher working on our Bug bounty program. Once we became aware of the issue, we took immediate action to investigate the matter. Based on what we found, we were able to identify where the issue lies in our app code and implement changes to our code to ensure that this vulnerability is now fixed.

Potentially, the vulnerability allowed your Confluence URL, email address & hashed API token to be accessible to the unintended user. Based on the investigations, including analyzing our log files, there is no evidence to suggest that this vulnerability was exploited by malicious actors. As soon as we were notified of the vulnerability by the security researcher, we took pre-emptive steps. Once the complete fix was verified, a full fledged build went live.

No further action is required from you at this point.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers. Please accept our sincere apologies for any inconvenience this may have caused.

If you have any questions please feel free to raise a support request at our service desk referencing https://amoeboids.atlassian.net/browse/AR-818.

https://amoeboids.atlassian.net/wiki/spaces/UR/pages/2489614388

We are writing to inform you of a vulnerability in Automated Release Notes & Automated Release Notes (Free) apps that inadvertently exposed your data to anonymous users who got their hands on a privileged JWT token. The vulnerability affected cloud versions of the said apps from 17th July 2020 to 3rd November 2020.

This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was brought to our notice on 23 October 2020 by a researcher working on our Bug bounty program. Once we became aware of the issue, we took immediate action to investigate the matter. Based on what we found, we were able to identify where the issue lies in our app code and implement changes to our code to ensure that this vulnerability is now fixed.

Potentially, the vulnerability allowed all of your ARN data to be accessible to anonymous user with privileged JWT token. Based on the investigations, including analyzing our log files, there is no evidence to suggest that this vulnerability was exploited by malicious actors. As soon as we were notified of the vulnerability by the security researcher, we took pre-emptive steps. Once the complete fix was verified, a full fledged build went live.

No further action is required from you at this point.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers. Please accept our sincere apologies for any inconvenience this may have caused.

If you have any questions please feel free to raise a support request at our service desk referencing https://amoeboids.atlassian.net/browse/AR-761.