Application Level DoS in Scroll Documents - Security Advisory 2020-08-14

Description

Summary

This advisory discloses a security issue of *medium* *severity* affecting Scroll Documents, and provides a step-by-step guide to help you rectify the issue. The following apps and versions are affected:

  • Scroll Documents for Confluence Server, versions 2.1.0 and older

  • Scroll Documents for Confluence Cloud, versions 2.0.22-AC and older

After updating to the fix versions, your instance is no longer affected by this security issue.

Severity

K15t Software rates the severity level of this issue as medium

This is our baseline assessment - it's best if you evaluate its applicability to your own IT environment.

Detailed description

Read requests with a malformed JSON body crash the list of read requests in that space and may also crash the reader if it tries to load such a read request for the current document. This can be used for example, but is not limited to:

  • An attacker could deny access to the read request list UI and the reader UI in spaces that they have access to and where they have permission to create read requests.

Steps we've taken to fix this issue

We have taken the following steps to address this issue:

  • Released *Scroll Documents 2.2.0 (Server) and 2.0.23-AC (Cloud)* update on Atlassian Marketplace

  • Informed all app customers and evaluators through our release notes.

What you need to do to solve this issue on your instance

A Confluence administrator might need to upgrade Scroll Documents to these (or later) versions:

  • Scroll Documents for Confluence Cloud, version 2.0.23-AC or newer

  • Scroll Documents for Confluence Server, version 2.2.0 or newer

Scroll Documents for Confluence Cloud will usually be updated automatically in your Confluence Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 2.0.23-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Confluence Cloud instance.

Scroll Documents for Confluence Server needs to be updated within the Manage Apps/Add-ons section of your Confluence Server. You can either do this by clicking on Update for Scroll Documents or by downloading the latest version from the Atlassian Marketplace and manually upload it to your Confluence Server.

We are here to support you

We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.

In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com. We are happy to schedule a 1:1 screen sharing session to help you resolve the issue should you so desire.

 

Environment

None

Assignee

Unassigned

Reporter

Maximilian Hilbert (K15t)

Labels

None

Participants

None

QA Status

None

Deployment

Cloud
Server

Documentation Status

None

UI Concept

None

External Votes

None

Fix versions

Priority

Major
Configure