We need support and an explanation for vulnerability returning for your software with HP Webinspect.

Shawn August 17, 2017

Critical Security vulnerability found by HP WebInspect regarding input validation. Note, this is a critical security vulnerability that's currently prohibiting a customer-base Wiki application from deploying onto a NASA production server. Your quick response with explanation for vulnerability returning in your software or fix is required for further validation with NASA Information Assurance before they will allow production deployment of your software onto their servers. Report states: The 'Authorization' HTTP header line must have at least 270 A's. Demonstration Exploit: GET / HTTP/1.0 Authorization: Ax270. Implication: A remote user can execute arbitrary code on the target system.

2 answers

0 votes
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 17, 2017

@Shawn, we provide support here for starter licenses. :)

I asked the security team how I could help with your security concern and they advised me to direct you to How to Report a Security Issue.

It would be great if you could follow up here in the Community when you get an answer, in case someone else has the same issue. 

Shawn August 17, 2017

Hi Ann, thanks for your suggestion. I have filed a security Issue here: https://securitysd.atlassian.net/servicedesk/customer/portal/2/SEC-1650

I tried to report a bug, as I thought that would be the quickest resolution, but I found I did not have permissions to submit a bug. So the link fir reporting a Security issue was where I needed to go.

I will report back here on its success. Most likely it is not an actual vulnerability, but as it is a common security inspection tool flagging a vulnerability, we have to follow up. Thanks for your help,

Shawn

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 17, 2017

You'll need to take that up with your hosting provider or Atlassian.  We're just end users.  Atlassian are here, but they don't provide formal support here.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events