...
In Confluence page, header layout was static but now adjusts smoothly to various screen sizes. On mobile devices, it has a clean layout with links, buttons, a subscribe button, and an edit page feature.
Bug Fixes 
...
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
1. Fixed automatic reminder malfunction
| Status | ||||
|---|---|---|---|---|
|
We’ve resolved a bug where data from Jira embedded on Confluence pages wasn't functioning correctly when using custom domains.fixed
issue Description
Enable automatic reminders
Start approval
Wait for a reminder
Observe after 1 hour a reminder was not sent → we fixed
Jira Legacy server System Jira serverId b66650ca-af1e-397f-81f5-9d94924a0a26 key APFJ-
...
498
Summary and Action missing from notification emails on Notification Steps
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Add Web API DELETE endpoint to delete approvals
Description
new endpoints to be added to Web API
DELETE /approvals/ref
DELETE /approvals/ref/id
ref - issue key/page id
id - approval id
Jira Legacy server System Jira serverId b66650ca-af1e-397f-81f5-9d94924a0a26 key APFJ-
...
491
Unauthorized Access to Private Space Definitions
Description
Summary
Lower privileged users can access any Confluence space's "approval path" definitions, including those for private spaces.
Details
As a proof of concept, observe that user 5e4dabfc393ea90c94b42043 does not have access to the privatespa space in Confluence:
On the left, note the definition
ID:179303created for the private space (by the admin):
...
Despite the application access controls, it was possible to bypass this restriction and access the private space definition ID:179303 while authenticated as user 5e4dabfc393ea90c94b42043:
...
Impact
In this scenario, the private space definition contains a Slack webhook to send notifications about approvals. An attacker can gain detailed information about approvals, processes, workflows, and integrations of any Confluence space by reading their definitions. Particularly when "webhooks" are used in approval steps, as demonstrated above, possessing the Slack webhook URL allows the attacker to send arbitrary messages to the victim's Slack.
Steps to Reproduce
Setup
As an administrator, install "Approval Path for Confluence".
Create a new private space in Confluence.
Access "Apps > Approval Path > Definitions".
Click "Add Definition".
Name the definition, select the private space, and click "Add Step".
Add any step you want (fill in the required fields).
Save the definition.
For ease of reproduction, copy the definition ID.
Attacker
Log in as a regular user.
Start Burp Suite.
Create a new space or access the user's personal space in Confluence.
Access "Space Settings > Approval Path > Definitions".
In Burp Suite (proxy history), identify the
GET /connect/confluence/definitionsrequest and copy the JWT from thejwt=URL parameter.Submit the request below, replacing
{private-definition-id}and{attacker-jwt}with the obtained values:
| Code Block |
|---|
GET /connect/confluence/definition?user_is_admin=false&previewMode=true&viewOnly=true&v=12&id={private-definition-id}&jwt={attacker-jwt} HTTP/1.1
Host: app.approval-path.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)
|
Note that it was possible to access the private space definition.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|