XML vulnerability in Backbone Issue Sync

Description

Summary

This advisory discloses a security issue of high severity affecting Backbone Issue Sync. The following apps and versions are affected:

  • Backbone Issue Sync, version 3.0.29-AC and older versions

After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.

Severity

K15t rates the severity level of this issue as high, as a remote attacker is able to read certain data from our infrastructure.

This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

Detailed description

Backbone Issue Sync for Jira Cloud is affected by an XML vulnerability where potential attackers can read certain infrastructure data. This can be used for example, but is not limited to:

  • Read access to some error and support zip files

Any Jira project admin who is able to configure a Backbone synchronization is able to exploit this bug.

Steps we've taken to fix this issue

We have taken the following steps to address this issue:

  • Released fixed versions of Backbone Issue Sync on Atlassian Marketplace

  • Informed all app customers and evaluators through our release notes

What you need to do to solve this issue on your instance

A Jira administrator might need to upgrade Backbone Issue Sync to these (or later) versions:

  • Backbone Issue Sync for Jira Cloud, version 3.0.30-AC or newer

Backbone Issue Sync for Jira Cloud will usually be updated automatically in your Jira Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 3.0.30-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Jira Cloud instance.

We are here to support you

We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.

In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com.

Environment

None

Status

Assignee

Unassigned

Reporter

Sync User [K15t]

Labels

None

Participants

None

Deployment

Cloud

Components

Fix versions

Affects versions

3.0.29-AC

Priority

Major