Create
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Community resources
Community resources
Community resources
i have multiple questions
Jahanzaib_Ahmed
I'm New Here 
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 13, 2026 edited
| S.NO | VULNERABILITY NAME | THREAT | DESCRIPTION | IMPACT | RECOMMENDATIONS | SEVERITY | AFFECTED ASSETS | REPORTED BY |
| 1 | Possibility of Data Leakage - Attachment File Size | Data Theft | It was discovered that the current max attachment file size limit is 1GB. | As it is a cloud platform, it is currently accessible from a public network. It is also one of the few platforms where users can upload files without issues when on an MBL machine on the MBL network. This greatly increases the likelihood of an insider threat through data theft. | Set max attachment file size limit to 20MB. Disable ZIP option too. | HIGH | https://*-mbl.atlassian.net/ | IS-CS |
| 2 | Account Lockout - No Backup | Account Compromise | It was discovered that there exists only 1 Organizational Admin (full-admin rights). | In the case of compromise of the single Organization Admin's account, it will be very difficult to initiate containment and recovery procedures. | Add another Organizational Admin to the platform. | HIGH | https://*-mbl.atlassian.net/ | IS-CS |
| 3 | Idle Session Timeout Failure | Unauthorized Session Access | It was noted that portal session management settings/parameters do not enforce secure timeout limits; sessions remain active longer than recommended. | Prolonged active sessions can lead to unauthorized access, session hijacking, and non-compliance with security policies. | It is recommended to configure secure session timeout aligned with policy and best practices. A.8.3, A.8.5 ISO/IEC 27002 | HIGH | https://id.atlassian.com | IS-CRU |
| 4 | Inadequate Controls for Concurrent Session Management | Unauthorized Access Using Compromised Credentials | It was observed that the system lacks technical controls for concurrent session management, allowing multiple active sessions per user. | Multiple concurrent sessions increase the likelihood of unauthorized access, data leakage, and misuse. | It is recommended to implement concurrent session limits per user account. ISO 27001 A.5.15 | HIGH | https://id.atlassian.com | IS-CRU |
| 5 | Excessive or Unrestricted Vendor Access | Unauthorized or Unapproved Changes to System Configurations | It was observed that vendor access lacks appropriate restrictions, increasing the risk of unauthorized system changes. | Vendor access to line updates may result in unauthorized modifications, data integrity issues. | It is recommended to restrict vendor access based on the principle of least privilege. Enable detailed logging, monitoring, and periodic access reviews. ISO 27001 A.8.2 , A.8.16 | HIGH | https://id.atlassian.com | IS-CRU |
| 6 | Absence of Enforced Role-Based Access Controls | Privilege Escalation and Misuse of System Capabilities | It was observed that Role-Based Access Control (RBAC) is not implemented in the Jira portal. | Failure to enforce role-based access control increases the risk of unauthorized access. | It is recommended to implement Role-Based Access Control aligned with business functions. ISO 27001 A.5.15 | HIGH | https://id.atlassian.com | IS-CRU |
| 7 | Weak MFA Enforcement | Account Takeover | It has been observed that Multi-Factor Authentication (MFA) can be disabled by normal users, weakening authentication controls. | Disabling MFA significantly increases the risk of account compromise through stolen or weak credentials. This may lead to unauthorized access, data breaches, and regulatory non-compliance. | Increased risk of unauthorized access, account compromise, and regulatory non-compliance. | HIGH | https://*-mbl.atlassian.net/ | IS-GC |
| 8 | Server Hosted in Hostile Geographic Location | Unauthorized Access | The application allows users to access a server hosted in a hostile or high-risk geographic location without implementing adequate geo-location controls, network segmentation, or compensating security measures. | Hosting servers in hostile locations increases exposure to external threat actors, unauthorized access attempts, and potential compromise of systems and customer data. | IS-GC recommends relocating the server to an approved geographic location or implementing geo-location restrictions, enhanced network segmentation, continuous monitoring, and risk-based access controls. | HIGH | https://*-mbl.atlassian.net/ | IS-GC |
| 9 | Unrestricted Attachment Download | Data Leakage | Attachments can be downloaded by any user without enforcing role-based access controls or data classification restrictions. | Unrestricted attachment downloads increase the risk of unauthorized data access and exfiltration. This may lead to sensitive data leakage and loss of confidentiality. | Risk of sensitive or confidential data leakage and unauthorized data exfiltration. | HIGH | https://*-mbl.atlassian.net/ | IS-GC |
| 10 | Absence of Access User List | Excessive Privileges | A consolidated and approved access user list with defined user lifecycle is not maintained for the application. | Lack of a consolidated user access list reduces visibility into user privileges and access rights. This increases the risk of excessive, unauthorized, or dormant accounts remaining active. | Limited visibility over user access rights, increasing the risk of unauthorized or excessive access. | HIGH | Documentation | IS-GC |
| 11 | Audit Log Irregularity (User Activity) | Inadequate Audit Trail | It has been observed that audit logs are irregular and user-side activities are not fully captured or visible, resulting in incomplete audit trails. | Incomplete audit logs limit the ability to trace user actions and investigate security incidents. This may delay incident response and result in audit and regulatory non-compliance. | Reduced ability to trace user actions, delayed incident detection, and non-compliance with regulatory logging requirements. | HIGH | https://*-mbl.atlassian.net/ | IS-GC |
| 12 | Misconfiguration - Unrestricted User Access Request | Unauthorized Access | It was discovered that any user can request access to MBL Apps without admin approval. | The possiblity of a malicious user gaining access to MBL Apps and associated data is increased. | Admin approval should be required for user addition to Apps. | HIGH | https://*-mbl.atlassian.net/ | IS-CS IS-GC |
| 13 | Misconfiguration - Lacking Company Domain Verification | Lack of Traceability | It was discovered that Company Domain was not verified. | Non-verification means that the Organizational Admin cannot effectively administrate platform users and has to handle them on an invidual basis. | Verify the Company Domain (meezanbank) so that the Organizational Admin can administrate more effectively using policy schemes, exhanced user management interfaces, and more detailed logging. | HIGH | https://*-mbl.atlassian.net/ https://admin.atlassian.net/ | IS-CS |
| 14 | Offshore Cloud Risk | Regulatory Non-Compliance | It was discovered that currently, Jira contains material and sensitive business data, hosted in an offshore environment. | Without SBP approval may lead to regulatory non-compliance, unauthorized access, and data exposure. | IS-GC recommends hosting the applications either on-premises or with SBP Approval. SBP Cloud Outsourcing Guidelines; ISO/IEC 27001:2022 – A.5.23 (Information Security for Use of Cloud Services) | HIGH | https://*-mbl.atlassian.net/ | IS-GC |
| 15 | Logs Issue - SIEM Integration | Lack of Traceability | It was discovered that user activity logs are not integrated with the SIEM. | Absence of user activity trail will result in unaccountability of user activity. | Integrate user activity logs with the SIEM | MEDIUM | https://*-mbl.atlassian.net/ | IS-CS |
| 16 | Logs Issue - Retention Period | Lack of Traceability | It was discovered that currently, the platform Audit Logs Retention Period is set to just 3 months. | Absence of a long user activity trail will result in unaccountability of user activity for malicious or suspicious actions being performed over a long period of time. | Set platform Audit Logs Retention Period to 6 Months (current max). | MEDIUM | https://*-mbl.atlassian.net/ | IS-CS |
| 17 | Misconfiguration - Unrestricted User Invite Requests | Unauthorized Access | It was discovered that any user from any domain can invite any other user without restrictions or admin approval. | The possiblity of a malicious user gaining access to MBL Apps and associated data is increased. | Ensure that users from only approved domains (meezanbank, techlogix, etc.) can be Invited to Apps. | MEDIUM | https://*-mbl.atlassian.net/ https://admin.atlassian.net/ | IS-CS |
| 18 | Possibility of Data Leakage - Third Party AI Integration | Sensitive Information Disclosure | It was discovered that Atlassian's proprietary Rovo AI can be integrated with the AIs of other companies like Anthropic and OpenAi for data collection. | Third party AI companies can possible train their models on MBL data. | Block third party domains from data access for Rovo AI. | MEDIUM | https://*-mbl.atlassian.net/ https://admin.atlassian.net/ | IS-CS |
| 19 | Non-Hostile Locations in Data Residency | Data Theft / Regulatory or Compliance Violation | It was discovered that a defined location is not set for the data stored on the Atlassian cloud. | Allowing data to be stored on servers housed in non-hostile regions (India, Israel, Cuba, etc.) may result in both lapse in regulatory compliance and possibility of data theft by nation state actors. | Set Data Residency to be at non-Hostile Locations. | MEDIUM | https://*-mbl.atlassian.net/ https://admin.atlassian.net/ | IS-CS |
| 20 | Unrestricted Public Internet | Unauthorized Access | Organizational systems are accessible over the public internet without formally defined access restrictions or enforced security controls. | Unrestricted public internet access increases the risk of unauthorized access and potential data breaches, leading to possible exposure of sensitive information. | Implement access control policies, restrict public internet exposure, enforce network security controls (e.g., firewalls, access filtering), and regularly review external access configurations. | MEDIUM | https://*-mbl.atlassian.net/ | IS-GC |
| 21 | Data Flooding Through Public Access | DOS | It was discovered that current Jira users with access to MBL Sites/Apps can share links to forms that are publicly accessible. | Currently, the functionality is not limited to admin users. This means any normal user can create and share a form publicly so that anyone can constantly submit the form, thus constantly creating new tasks. | Disable public access for forms for all Spaces and Space Roles. | LOW | https://*-mbl.atlassian.net/ https://admin.atlassian.net/ | IS-CS |
| 22 | Misconfiguration - DevOps | Sensitive Information Disclosure | It was discovered that Development and Operations features (DevOps), where code repositories could be integrated with the Jira platform, are enabled. | Integrating entire code respositories on an external, cloud platform may result in the disclosure of proprietary code. | Disable all toggleable options related to Development and Operation in the Features section (in all Spaces). | LOW | https://*-mbl.atlassian.net/ | IS-CS |
| 23 | Misconfiguration - Third Party Platform Connectivity | Unauthorized Access | It was discovered that it was possible to connect contacts from unauthorized domains. | Third party platform connectivity undermines the robustness of RBAC policy and allows potential malicious actors to gain access. | Disable third party contact connectivity. | LOW | https://*-mbl.atlassian.net/ | IS-CS |
2 answers
What is you question in relation to these vulnerabilities?
Hi, @Jahanzaib_Ahmed
You sent list of vulnerabilities, but where is your question?
What exactly you want to ask?
Best regards!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Was this helpful?
Thanks!
TAGS
Community showcase
Atlassian Community Events
Copyright © 2026 Atlassian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.