Atlassian released the following advisory last month:
Under the "Acknowledgement" section it says user "Magic Ice Cream Shop" discovered this vulnerability. There is no information on how Magic Ice Cream Shop did it (i.e. how a user with "Add Page" space permission can view files in <install-directory>/confluence/WEB-INF).
Would appreciate if Atlassian can release steps to reproduce this vulnerability so that we can make a determination as to whether an upgrade to fixed version is necessary.
I think if you are a paying customer (which I am) then Atlassian should inform us at least privately (i.e. does not have to be through this forum).
Knowing how the attack works and trying it on my system is far less work than the upgrading to the nearest fixed version.
If Atlassian prefers, I can launch an actual support ticket. But either way, it is really important for me to know how this vulnerability can be exploited.
Still, as a customer of atlassian, if i got the recipe from atlassian, i could happily exploit the other customers instances. Why would atlassian or any company for that matter do such a thing with their product customers?!
A support ticket or even if i am ready to pay extra money to a company to know how to hack their product, they would (and should) never do that..
Yes I understand, but this can be taken care of easily by simply signing an agreement identifying myself to Atlassian as a paying customer who has no malicious intent and will not pass this information on to anyone. Kind of like how paying customers have agreed to not pass Atlassian Confluence source code to others.
- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events