Remote code execution vulnerability in Backbone Issue Sync (2019-06-24)

Summary

This advisory discloses a security issue of critical severity affecting Backbone Issue Sync, and provides a step-by-step guide to help you rectify the issue. The following apps and versions are affected:

• Backbone Issue Sync, version 3.5.0 or later, fixed with 3.9.3 and 4.0.1

After updating this app to the fixed version, your Jira instance is no longer affected by this security issue.

Severity

K15t Software rates the severity level of this issue as critical, as a remote attacker is able to execute code on your system.

This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

Detailed description

Backbone Issue Sync is affected by a remote code execution vulnerability that enables attackers to execute arbitrary code on your system. This can be used for example, but is not limited to:

• Elevation of user privileges

• Installation of additional malicious apps

• Access to and modification of Jira content without further permission checks

Any Jira project admin who is able to configure a Backbone synchronization is able to exploit this bug.

Steps we've taken to fix this issue

We have taken the following steps to address this issue:

• Released fixed versions of Backbone Issue Sync on Atlassian Marketplace

• Informed all app customers and evaluators who might have been affected

What you need to do to solve this issue on your instance

A Jira administrator needs to upgrade Backbone Issue Sync to these (or later) versions:

• Backbone Issue Sync, version 3.9.3, version 4.0.1 or later

We are here to support you

We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.

In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com.