2020-09-04

• We have contracted the services of some ethical hackers in Rusia to find vulnerabilities of the app. As a result of this research, some vulnerabilities have been detected affecting to some URLs susceptible of XSRF attacks if a Jira Administrator with an active Jira session opened in the same browser visits a malicious site which potentially could manage all the BIRT reports (edit, delete, change access permissions and available locations) as well as upload new ones. This last action is considered as a high-risk vulnerability.

2020-07-01

• A security threat was detected in 3.6.2 and previous versions allowing a malicious Jira user to perform an XSS attack (Javascript injection). Credits for Ivan Rumak and Alexey Rumak that reported it via https://detectify.com/. Thank you!

...

Upgrade to the 2.3.0 version as soon as possible.

Upgrading it is a breeze: it requires one click only and everything will go safe.

The newer version restricts uploading Eclipse BIRT reports to Jira administrators only. Jira administrators are able to delegate this feature to other Jira users and groups that they trust on. Please see the new form to configure upload permissions available from the 2.3.0 version:

...