Pairing issues allows pairing of not synced issues
Description
Summary
This advisory discloses security issues of medium severity affecting Backbone Issue Sync. The following apps and versions are affected:
Backbone Issue Sync for Jira, version 3.1.7-AC and before
After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.
Severity
K15t rates the severity level of this issue as high.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Backbone Issue Sync for Jira Cloud is affected by a vulnerability where an attacker could use the manual pairing of issues to synchronize field information of issue types, that are not part of the synchronization. The attacker needs to be a project administrator in Jira and needs to has access to the Backbone UI.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released fixed versions of Backbone Issue Sync on the Atlassian Marketplace
Added a new advanced setting sync.syncUnsyncedIssueTypeAllowed
Informed all app customers and evaluators through our release notes
What you need to do to solve this issue on your instance
The fixed version is automatically rolled out for all Jira Cloud instances.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at help@k15t.com.
Summary
This advisory discloses security issues of medium severity affecting Backbone Issue Sync. The following apps and versions are affected:
Backbone Issue Sync for Jira, version 3.1.7-AC and before
After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.
Severity
K15t rates the severity level of this issue as high.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Backbone Issue Sync for Jira Cloud is affected by a vulnerability where an attacker could use the manual pairing of issues to synchronize field information of issue types, that are not part of the synchronization. The attacker needs to be a project administrator in Jira and needs to has access to the Backbone UI.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released fixed versions of Backbone Issue Sync on the Atlassian Marketplace
Added a new advanced setting
sync.syncUnsyncedIssueTypeAllowedInformed all app customers and evaluators through our release notes
What you need to do to solve this issue on your instance
The fixed version is automatically rolled out for all Jira Cloud instances.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at help@k15t.com.