Security Vulnerability affecting User Management Apps

Incident Report for TechTime Initiative Group

Resolved

This incident has been resolved.
Posted Aug 02, 2023 - 17:00 NZST

Monitoring

The following apps have been discovered to be vulnerable to a stored cross-site scripting vulnerability on the Bulk User Actions page.

- User Management for Jira
- User Management for Confluence
- User Management for Bitbucket
This affects the following versions:

User Management for Jira: 2.0.0 - 2.17.1
User Management for Confluence: 2.0.0 - 2.15.24
User Management for Bitbucket: 2.2.2 - 2.15.24

These vulnerabilities have been assessed to have a CVSS v3 impact of 7.5 (High) https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

We recommend that you upgrade to a fixed version as soon as possible to ensure that you are not affected.

If you are not able to upgrade to a fixed version, please consider disabling the app until you can, or contact us directly at support@techtime.co.nz

More information is available here: https://techtime.co.nz/display/TECHTIME/Security+Vulnerability+Affecting+User+Management

TechTime would like to acknowledge and thank Carl Nykvist for discovering and reporting these vulnerabilities.
Posted Jun 20, 2023 - 13:15 NZST
This incident affected: TechTime Data Center Apps (UserManagement for Jira Data Center, UserManagement for Confluence Data Center, UserManagement for Bitbucket Data Center) and TechTime Server Apps (UserManagement for Jira Server, UserManagement for Confluence Server, UserManagement for Bitbucket Server).
Current Status Powered by Atlassian Statuspage