Hello,
We are writing to inform you of an XXE security vulnerability that was recently identified in the Marketplace app “Enterprise Mail Handler for Jira Server/DC” by Michael Anastasakis from Klarna (thanks!). All historic versions (v3.3.73 and below) of JEMH Server/DC are affected.
Severity
The vulnerability has been rated LOW, according to the scale published on the Common Vulnerability Scoring System (CVSS) due to an authenticated Admin account being required. The vulnerability is not likely to have had any impact on you, with a worst case scenario that an Admin would be able to access text content from files that they may not already have access to (e.g. due to role segregation).
Timeline
The vulnerability was identified earlier this week, at which point we immediately validated the attack and took steps to fix, which was done by centralising XML parsing to enforce a block on this kind of attack for all usages and adding integration tests to validate it remains fixed.
Next Steps
In order to fix the vulnerability in your environment, directions for updating app to fixed versions, released on 7 JAN 2022:
v3.3.74 (Server) compatible with Jira 8.0.0+
v3.3.75 (DC) compatible with Jira 8.0.0+
If you have any questions, please feel free to raise a support request at https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1 referencing XXE.
Sincerely,
Andy Brook
The Plugin People