[Bugcrowd] JSM customers can get SMTP credentials and titles of all issues with approvals

Description

The app can be used in JSM, and there are some security settings related to what JSM users can or can not do. I found that regardless of the settings, JSM customers can get the app settings. If the app is configured to use custom SMTP server, the server credentials are disclosed to JSM customers. Also, titles of all issues with approvals are disclosed to JSM users.

Steps to reproduce:

Part 1. Configuration

Log in as admin, enable Jira Service Management if it is not enabled
On the left-side panel click Apps -> Approval Path
Go to Settings -> Email
In Email carrier select SMTP + STARTTLS, fill all parameters and click Save
Go to Settings -> General and enable Allow manual initiation of approvals
Go to Definitions
Click Create
Set any name
Select the JSM project in Space
Click Add step -> and add any step
Click Save definition
Using Jira UI create a ticket in the JSM project (as a target to get a title of the issue)
Open the created issue
On the right-side panel expand Approval Path
On New tab click Start to start an approval

Part 2. The vulnerability

Go to https://<INSTANCE>.atlassian.net/servicedesk in an incognito browser window and sign up
Confirm email to complete sign up
Create any request and open it
After the request is loaded, go to requests history and find there a request to https://app.approval-path.com/connect/jira/rest/definition/reference?jwt=.... Search for "email" in the response, you will find the credentials. Also, search for "approvals", you will get the title of the issue created by the admin

I assume that all approvals are disclosed there, not only those created in JSM project. But I always get an error when I try to start an approval not on a JSM project.

Activity

Show:

Adam Lipiński 21 January 2026, 17:37

QA pass completed. Neither global settings nor names of approvals from other tickets are not visible to JSM customer anymore through the request responses.

I’ve also checked whether definition view functionality is correct, from perspective of different users and I didn’t find any issues.

Igor Hercer 21 January 2026, 11:58

@Adam Lipiński I’ve fixed that, I’d like you to make sure that the definition form works, and all of the preselected settings in global settings are present and correctly rendered on definition form view (steps also)

Adam Lipiński 20 January 2026, 18:14

@Igor Hercer The “global settings” section is still visible for JSM customer in GET /connect/jira/rest/definition/206983?jwt=... endpoint response. This one is being sent after clicking the “View” button on definitions list (the eye icon).

I could not find this section in any other response’s body.

Adam Lipiński 19 January 2026, 11:50

@Igor Hercer I was about to write “QA pass completed” but I noticed that SMTP credentials are also visible for the JSM customer in the response of /connect/jira/rest/reference/approvals HTTP request.

Can we improve this here?

@Kamil Zarychta FYI.

Btw sorry for mix-up with statuses, I had already clicked ready to merge so had to restart to backlog.

Adam Lipiński 15 January 2026, 13:15

The issue has been successfully reproduced by QA with provided steps.

I assume that all approvals are disclosed there, not only those created in JSM project. But I always get an error when I try to start an approval not on a JSM project.

By the way, I confirm that this assumption from the researcher is correct, titles of issues from various projects are visible in the request response.

Released

Details

Priority

Highest

Created

15 January 2026, 14:11

Updated

26 January 2026, 13:06

Created: 15 January 2026, 13:11 Updated: 26 January 2026, 12:06

Delete this comment?

Delete this attachment?

Unlink this work item?