Security Advisory
We wish to advise our customers of a vulnerability in Refined for Jira Server / Data Center. Affected versions are 3.0.0-3.1.4 and 3.2.0-3.2.12 .
Risk Assessment
Our assessment for the vulnerability is Medium as per Atlassian’s rating. This due to the fact that the user needs admin privileges or otherwise trick an admin user in order to carry out an attack.
The vulnerability would allow an attacker that had Jira admin or Refined Admin permissions, to perform a zip traversal attack by uploading the attack zip-file as a theme file upload.
If you have any questions regarding this, please reach out to us via support.refined.com.
Fixed versions
This issue has been fixed in versions 3.1.5 and 3.2.14. If you are currently on a lower version, we recommend to upgrade to 3.1.5, 3.2.14 or any 3.3 release. Please note that if you upgrade via UPM, you will get the latest version (3.3.x). To upgrade to the lower ones you need to download the JAR file from the Atlassian marketplace and manually upload it in the UPM.