Security Issue with Atlassian

Ajay Mishra
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 13, 2022

Hi, 

 

I came across one of the Scurity Issues/Vulnerability 

 https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/

 

This has been tested. 

Just wanted to highlight here. 

1 comment

Comment

Log in or Sign up to comment
Kalin U
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 13, 2022

Thank you, @Ajay Mishra, for the heads up!

Have you contacted Atlassian directly? Is there any other publicly available information about the vulnerability?

I didn't find anything neither under https://www.atlassian.com/trust/security/advisories, nor under https://www.cvedetails.com/vulnerability-list/vendor_id-3578/Atlassian.html, nor https://jira.atlassian.com/issues/?jql=issuetype%20%3D%20%22Public%20Security%20Vulnerability%22%20ORDER%20BY%20updated%20DESC.

Regards,
K.

Ajay Mishra
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 13, 2022
Like Kalin U likes this
Dawn Carroll
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2022

Thank you for bringing this up on the Trust & Security Community.  Atlassian's security team is aware of this incident and we have followed security protocol to invalidate affected session tokens. Atlassian is conducting a comprehensive investigation, though our security team has not found evidence of a compromise within our systems or products. No customer action is required at this time. We will share another update once our investigation concludes.

Andrew Gallagher
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 14, 2022

Hi Dawn,

Is this available somewhere as an official message/advice?

Thanks,

Andrew

Dawn Carroll
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 14, 2022

Hi Andrew.  The statement above is reiterated on a handful of news articles, see the one below in the UPDATE section: 

https://www.itworldcanada.com/article/atlassian-admins-warned-of-session-cookie-vulnerabilty/517864

 

Atlassian is working on further communications and I can add them to this thread once they are ready!  

Kalin U
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 15, 2022

I saw that @Dan Hranj has recently posted this announcement in this community group: https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-response-to-claims-regarding-session-tokens-cookies/ba-p/2217925.

In essence, Atlassians say:

Our security team did not find a vulnerability in Atlassian Cloud or On-Premise products or a breach of Atlassian systems related to the incident.

Like # people like this
Dawn Carroll
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2022

Yes, thank you @Kalin U !  You beat me to it!  Thank you for putting it here!

Like Kalin U likes this
TAGS
AUG Leaders

Atlassian Community Events