Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Summary 🌟

In this release,

New Features (blue star)

SSO verified domains NEW

We have implemented verified domains in External Share for Confluence.

Improvements (blue star)

Improved header IMPROVED

In Confluence page, header layout was static but now adjusts smoothly to various screen sizes. On mobile devices, it has a clean layout with links, buttons, a subscribe button, and an edit page feature.

Bug Fixes (blue star)

APFJ-500 - Getting issue details... STATUS

1. Fixed automatic reminder malfunction FIXED

We’ve fixed

issue Description

  1. Enable automatic reminders

  2. Start approval

  3. Wait for a reminder

  4. Observe after 1 hour a reminder was not sent → we fixed

  1. APFJ-498 - Getting issue details... STATUS

Summary and Action missing from notification emails on Notification Steps

APFJ-492 - Getting issue details... STATUS

Add Web API DELETE endpoint to delete approvals

Description

new endpoints to be added to Web API

  • DELETE /approvals/ref

  • DELETE /approvals/ref/id

ref - issue key/page id

id - approval id

  1. APFJ-491 - Getting issue details... STATUS

Unauthorized Access to Private Space Definitions

Description

Summary

Lower privileged users can access any Confluence space's "approval path" definitions, including those for private spaces.

Details

As a proof of concept, observe that user 5e4dabfc393ea90c94b42043 does not have access to the privatespa space in Confluence:

On the left, note the definition ID:179303 created for the private space (by the admin):

image-20240731-165601.png

 

Despite the application access controls, it was possible to bypass this restriction and access the private space definition ID:179303 while authenticated as user 5e4dabfc393ea90c94b42043:

image-20240731-165628.png

 

Impact

In this scenario, the private space definition contains a Slack webhook to send notifications about approvals. An attacker can gain detailed information about approvals, processes, workflows, and integrations of any Confluence space by reading their definitions. Particularly when "webhooks" are used in approval steps, as demonstrated above, possessing the Slack webhook URL allows the attacker to send arbitrary messages to the victim's Slack.

Steps to Reproduce

Setup

  1. As an administrator, install "Approval Path for Confluence".

  2. Create a new private space in Confluence.

  3. Access "Apps > Approval Path > Definitions".

  4. Click "Add Definition".

  5. Name the definition, select the private space, and click "Add Step".

  6. Add any step you want (fill in the required fields).

  7. Save the definition.

  8. For ease of reproduction, copy the definition ID.

Attacker

  1. Log in as a regular user.

  2. Start Burp Suite.

  3. Create a new space or access the user's personal space in Confluence.

  4. Access "Space Settings > Approval Path > Definitions".

  5. In Burp Suite (proxy history), identify the GET /connect/confluence/definitions request and copy the JWT from the jwt= URL parameter.

  6. Submit the request below, replacing {private-definition-id} and {attacker-jwt} with the obtained values:

GET /connect/confluence/definition?user_is_admin=false&previewMode=true&viewOnly=true&v=12&id={private-definition-id}&jwt={attacker-jwt} HTTP/1.1
Host: app.approval-path.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0)

  1. Note that it was possible to access the private space definition.

APFJ-489 - Getting issue details... STATUS

APFJ-485 - Getting issue details... STATUS

APFJ-447 - Getting issue details... STATUS

APFJ-251 - Getting issue details... STATUS

APFJ-123 - Getting issue details... STATUS

APFJ-507 - Getting issue details... STATUS

  • No labels