Atlassian notifed us on two security Issues 5 May 2021 with both fixed 8 May 2021
- The first was caused by a security weekness in a framework provided by Atlassian (more info here). The impact to the solution was a corner case where Jira anonymous users could extract a
Issue PDF although not having access. Please note that default is NOT to allow anonymous users so Jira had to be explicite configured to enable this use case.
- The second one was that a user could extract some solution paramters by handlebars Injection in a PDF template. However
no impact to user data.