Security Advisory 2022-01-25

Owned by Johannes Laatu (Deactivated)
Last updated: May 11, 2023 by Madzy Soetman
1 min read

We wish to advise our customers of a vulnerability in Refined for Jira Server / Data Center. Affected versions are 3.0.0-3.1.4 and 3.2.0-3.2.12 .

Risk Assessment

Our assessment for the vulnerability is Medium as per Atlassian’s rating, because to carry out an attack, the user needs admin privileges or otherwise trick an admin user.

The vulnerability would allow an attacker that had Jira admin or Refined Admin permissions to perform a zip traversal attack by uploading the attack zip-file as a theme file. 

If you have any questions regarding this, please reach out to us.

Fixed versions

This issue has been fixed in versions 3.1.5 and 3.2.14. If you are currently on a lower version, we recommend to upgrade to 3.1.5, 3.2.14 or any 3.3 release. Please note that if you upgrade via UPM, you will get the latest version (3.3.x). To upgrade to the lower ones you need to download the JAR file from the Atlassian marketplace and manually upload it in the UPM.

Â