November 29, 2023
Advisory ID: JELLY-SA-2023-001
CVSS v4.0 Score: 2.1/Low
Publication Date: 2023-11-21
Last Revision Date: 2023-11-21
Status: Fixed
Document Revision: 1
# Overview
Jellyfish has improved the Jellyfish Agent such that it no longer prints 2 characters of the supplied JIRA password to stdout. Customers unaware of the old behavior may have had 2 characters of their integration’s JIRA passwords logged more broadly than intended in their environment.
The issue was discovered internally by Jellyfish team members.
# Description
Jellyfish has improved the Jellyfish Agent such that it no longer prints 2 characters of the supplied JIRA password to stdout. Previous versions of the agent printed 2 characters to help customers debug issues. However, this may not have been expected and customers who executed their agents in permissive locations may have revealed more information than desired.
It was discovered that bearer tokens were not affected by this vulnerability.
# Impact
This issue only affects customers who used a JIRA username and password as their integration method. Customers using Bearer Tokens are unaffected.
Only 2 characters of the password are logged to stdout. No part of the passwords leaves your local environment.
Customers are at risk only if:
1. They’re running their agent in a location where stdout can be observed by people other than who they intend to be able to view the JIRA password.
2. Those people can’t view the JIRA password elsewhere.
# Affected Product(s)
This affected the Jellyfish Agent (jf_agent) prior to February 8th, 2023. It was fixed in https://github.com/Jellyfish-AI/jf_agent/commit/6ce761d786157de7e93399612d764bd1553e62d2
# Solution
To prevent this issue, Jellyfish Agent administrators should ensure they are running an up-to-date version of the agent:
1. If you’re using Docker images: ensure you’re pulling the current `latest` or `stable` tag.
2. If you’re running from source, ensure your HEAD includes 6ce761d786157de7e93399612d764bd1553e62d2
If you have been storing/displaying the agent’s stdout and want to determine if 2 characters of your JIRA password has been displayed you can search for the string:
” Password: “
(Excluding the quotes)
# Vulnerability Metadata
Severity/Urgency: Green (Low)
CVSS v4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green
# Timeline
## February 8, 2023
1:43PM Eastern – Pull request is updated to include fix and is merged. Issue is resolved.
10:21AM Eastern – Jellyfish engineer reaches out to security. Security recommends masking the password entirely instead of printing 2 characters of the password.
## February 6, 2023
6:13PM Eastern – Pull request is posted which updates code near where the printing of 2 characters was happening
11:37PM Eastern – Reviewer recommends reaching out to security to determine if we should stop printing any characters of the password.
# Credits/Contact
If you have questions regarding this issue, please contact us at:
support@jellyfish.co.
