| Table of Contents | ||
|---|---|---|
|
Summary 🌟
In this release, we have new features including quick action buttons, new API endpoint and comment feature when issue gets rejected. Several fixes and improvements also introduced.
...
New Features 
...
Quick action buttons added on approval list view
| Status | ||||
|---|---|---|---|---|
|
We have implemented verified domains in External Share for Confluence.
Improvements
...
added "Approve", "Reject" and “Abstain” buttons to the approvals list. It allows users to take actions directly without entering each approval detail view.
...
Require comment when rejecting an issue
| Status | |
|---|---|
|
...
|
...
In Confluence page, header layout was static but now adjusts smoothly to various screen sizes. On mobile devices, it has a clean layout with links, buttons, a subscribe button, and an edit page feature.
Bug Fixes
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
1. Fixed automatic reminder malfunction
| Status | ||||
|---|---|---|---|---|
|
We’ve fixed
issue Description
Enable automatic reminders
Start approval
Wait for a reminder
Observe after 1 hour a reminder was not sent → we fixed
Jira Legacy server System Jira serverId b66650ca-af1e-397f-81f5-9d94924a0a26 key APFJ-498
Summary and Action missing from notification emails on Notification Steps
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
Add Web API DELETE endpoint to delete approvals
Description
new endpoints to be added to Web API
DELETE /approvals/ref
DELETE /approvals/ref/id
ref - issue key/page id
id - approval id
Jira Legacy server System Jira serverId b66650ca-af1e-397f-81f5-9d94924a0a26 key APFJ-491
Unauthorized Access to Private Space Definitions
Description
Summary
Lower privileged users can access any Confluence space's "approval path" definitions, including those for private spaces.
Details
As a proof of concept, observe that user 5e4dabfc393ea90c94b42043 does not have access to the privatespa space in Confluence:
On the left, note the definition
ID:179303created for the private space (by the admin):
...
Despite the application access controls, it was possible to bypass this restriction and access the private space definition ID:179303 while authenticated as user 5e4dabfc393ea90c94b42043:
...
Impact
In this scenario, the private space definition contains a Slack webhook to send notifications about approvals. An attacker can gain detailed information about approvals, processes, workflows, and integrations of any Confluence space by reading their definitions. Particularly when "webhooks" are used in approval steps, as demonstrated above, possessing the Slack webhook URL allows the attacker to send arbitrary messages to the victim's Slack.
Steps to Reproduce
Setup
As an administrator, install "Approval Path for Confluence".
Create a new private space in Confluence.
Access "Apps > Approval Path > Definitions".
Click "Add Definition".
Name the definition, select the private space, and click "Add Step".
Add any step you want (fill in the required fields).
Save the definition.
For ease of reproduction, copy the definition ID.
Attacker
Log in as a regular user.
Start Burp Suite.
Create a new space or access the user's personal space in Confluence.
Access "Space Settings > Approval Path > Definitions".
In Burp Suite (proxy history), identify the
GET /connect/confluence/definitionsrequest and copy the JWT from thejwt=URL parameter.Submit the request below, replacing
{private-definition-id}and{attacker-jwt}with the obtained values:
| Code Block |
|---|
GET /connect/confluence/definition?user_is_admin=false&previewMode=true&viewOnly=true&v=12&id={private-definition-id}&jwt={attacker-jwt} HTTP/1.1
Host: app.approval-path.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)
|
...
Note that it was possible to access the private space definition.
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
...
|
We’ve added a feature that comment is required for approver, when rejecting an issue. Once enabled this feature, approver should provide a comment.
...
Added API DELETE endpoint
| Status | ||||
|---|---|---|---|---|
|
New DELETE endpoints have been added to the Web API, allowing the removal of approvals.
DELETE /approvals/{ref}
DELETE /approvals/{ref}/{id}
API documentation is available for further instruction.
Improvements
Improved approval process
| Status | ||||
|---|---|---|---|---|
|
Before, if you stop watching the issue, approval won’t start. We've improved the approval process to allow starting approvals even with 0 watchers.
Bug Fixes
Fixed automatic reminder malfunction
| Status | ||||
|---|---|---|---|---|
|
There was an issue where emails were not sent as scheduled, even when automatic reminders were enabled in settings. We fixed this issue now emails working well.
Fixed notification email
| Status | ||||
|---|---|---|---|---|
|
We addressed a bug where Summary and Action were not displayed in emails for notification steps.
Fixed timestamps issue
| Status | ||||
|---|---|---|---|---|
|
Locale was not applied to Approval Path’s comment timestamps in Jira issues. Now, both the locale and time zone is correctly applied based on the user’s Atlassian account settings.
Fixed comment tooltip
| Status | ||||
|---|---|---|---|---|
|
The comment tooltip in the Approval Path had a fixed size and does not expand to show all the content. We have now fixed this issue so that you can see the full text in the comment section.