XML vulnerability in Backbone Issue Sync (2019-08-16)
Fixed
Description
Summary
This advisory discloses a security issue of high severity affecting Backbone Issue Sync. The following apps and versions are affected:
Backbone Issue Sync, version 3.0.29-AC and older versions
After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.
Severity
K15t rates the severity level of this issue as high, as a remote attacker is able to read certain data from our infrastructure.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Backbone Issue Sync for Jira Cloud is affected by an XML vulnerability where potential attackers can read certain infrastructure data. This can be used for example, but is not limited to:
Read access to some error and support zip files
Any Jira project admin who is able to configure a Backbone synchronization is able to exploit this bug.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released fixed versions of Backbone Issue Sync on Atlassian Marketplace
Informed all app customers and evaluators through our release notes
What you need to do to solve this issue on your instance
A Jira administrator might need to upgrade Backbone Issue Sync to these (or later) versions:
Backbone Issue Sync for Jira Cloud, version 3.0.30-AC or newer
Backbone Issue Sync for Jira Cloud will usually be updated automatically in your Jira Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 3.0.30-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Jira Cloud instance.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com.
Summary
This advisory discloses a security issue of high severity affecting Backbone Issue Sync. The following apps and versions are affected:
Backbone Issue Sync, version 3.0.29-AC and older versions
After updating this app to the fixed version, your Jira instance is no longer affected by this security issue. Please see below for steps on how to update.
Severity
K15t rates the severity level of this issue as high, as a remote attacker is able to read certain data from our infrastructure.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Backbone Issue Sync for Jira Cloud is affected by an XML vulnerability where potential attackers can read certain infrastructure data. This can be used for example, but is not limited to:
Read access to some error and support zip files
Any Jira project admin who is able to configure a Backbone synchronization is able to exploit this bug.
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released fixed versions of Backbone Issue Sync on Atlassian Marketplace
Informed all app customers and evaluators through our release notes
What you need to do to solve this issue on your instance
A Jira administrator might need to upgrade Backbone Issue Sync to these (or later) versions:
Backbone Issue Sync for Jira Cloud, version 3.0.30-AC or newer
Backbone Issue Sync for Jira Cloud will usually be updated automatically in your Jira Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 3.0.30-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Jira Cloud instance.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com.