Security Alert
A security vulnerability was discovered yesterday (2019-12-17). The vulnerability made it possible for a malicious user to access a Refined site as an anonymous user when anonymous access was not allowed on the site.
Risk Assessment
The vulnerability opened up for a user with access to an instance with Refined for Cloud to gain access to another customer's site. Resources that were available to the malicious user was the same that would have been available to an anonymous user, should the site have allowed anonymous access. This includes read access to the site themes, layouts (not layout sections with user group permission settings), Refined pages and recommended links. Any data from Atlassian, such as JSD requests, Jira issues and Confluence pages were protected by the permissions set up in the Atlassian platform. Refined pages associated with JSD portals, Jira projects and Confluence spaces was accessible to the extent that the corresponding Atlassian permission allowed.
If you have any questions regarding this matter please contact us at support@refined.com.
Resolution
The security vulnerability was fixed yesterday (2019-12-17) and possible existing malicious users' access to sites has been withdrawn today (2019-12-18).
No action is required from your part.
Special thanks
Special thanks goes to Julian Wolf who found and reported this vulnerability.