Access token leak in Scroll Exporter apps for Confluence Cloud 2019-09-06

Description

Summary

This advisory discloses a security issue of critical severity affecting Scroll PDF Exporter, Scroll Word Exporter, Scroll Exporter Extensions and Scroll Wordpress Publisher and provides a step-by-step guide to help you rectify the issue.

Affected Products

  • Scroll PDF Exporter

  • Scroll Word Exporter

  • Scroll Exporter Extensions

  • Scroll Wordpress Publisher

We have updated these apps on September 4th, 2019 to a fixed version.

Severity

K15t rates the severity level of this issue as critical, because on Confluence Cloud it can be exploited to access and manipulate any customer data.

This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

Detailed description

We found a bug in the way external content referenced in HTML is handled during the export. An attacker can exploit this bug to get access to credentials of our Cloud infrastructure. These credentials can be used to retrieve access credentials for authenticating as our Cloud apps or any user at customer Confluence instance REST APIs, allowing an attacker to use these REST APIs in order to access or manipulate data such as Confluence pages or attachments.
To exploit this issue an attacker needs access to any Confluence Cloud site, for example one that is owned by the attacker.

We've rated this bug with a CVSS score of 10.0 (Critical).

Steps we've taken to fix this issue

  • We updated our Cloud apps so the are no longer vulnerable to this attack.

  • We informed all affected customers of the vulnerability.

What you need to do to solve this issue on your instance

No actions are required from customers as updates occur automatically for Cloud apps.

Environment

None

Status

Assignee

Unassigned

Reporter

Sync User [K15t]

Labels

None

Participants

None

Deployment

Cloud

Components

Due date

2019/09/06

Priority

Major
Configure