This advisory discloses a security issue of *medium* *severity* affecting Scroll Documents, and provides a step-by-step guide to help you rectify the issue. The following apps and versions are affected:
Scroll Documents for Confluence Server, versions 2.1.0 and older
Scroll Documents for Confluence Cloud, versions 2.0.22-AC and older
After updating to the fix versions, your instance is no longer affected by this security issue.
K15t Software rates the severity level of this issue as medium
This is our baseline assessment - it's best if you evaluate its applicability to your own IT environment.
Read requests with a malformed JSON body crash the list of read requests in that space and may also crash the reader if it tries to load such a read request for the current document. This can be used for example, but is not limited to:
An attacker could deny access to the read request list UI and the reader UI in spaces that they have access to and where they have permission to create read requests.
We have taken the following steps to address this issue:
Released *Scroll Documents 2.2.0 (Server) and 2.0.23-AC (Cloud)* update on Atlassian Marketplace
Informed all app customers and evaluators through our release notes.
A Confluence administrator might need to upgrade Scroll Documents to these (or later) versions:
Scroll Documents for Confluence Cloud, version 2.0.23-AC or newer
Scroll Documents for Confluence Server, version 2.2.0 or newer
Scroll Documents for Confluence Cloud will usually be updated automatically in your Confluence Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 2.0.23-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Confluence Cloud instance.
Scroll Documents for Confluence Server needs to be updated within the Manage Apps/Add-ons section of your Confluence Server. You can either do this by clicking on Update for Scroll Documents or by downloading the latest version from the Atlassian Marketplace and manually upload it to your Confluence Server.
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at email@example.com. We are happy to schedule a 1:1 screen sharing session to help you resolve the issue should you so desire.