Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security Issue with Atlassian

Ajay Mishra
Ajay Mishra
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 13, 2022

Hi, 

 

I came across one of the Scurity Issues/Vulnerability 

 https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/

 

This has been tested. 

Just wanted to highlight here. 

Comment
Watch
Like Kalin U likes this
1702 views

1 comment

Comment

Log in or Sign up to comment
Kalin U
Kalin U
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 13, 2022

Thank you, @Ajay Mishra, for the heads up!

Have you contacted Atlassian directly? Is there any other publicly available information about the vulnerability?

I didn't find anything neither under https://www.atlassian.com/trust/security/advisories, nor under https://www.cvedetails.com/vulnerability-list/vendor_id-3578/Atlassian.html, nor https://jira.atlassian.com/issues/?jql=issuetype%20%3D%20%22Public%20Security%20Vulnerability%22%20ORDER%20BY%20updated%20DESC.

Regards,
K.

Like
Reply
Ajay Mishra
Ajay Mishra
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 13, 2022

@Kalin U 

hi

This vulnerability was highlighted by Cloudesk

 https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/

Like Kalin U likes this
Dawn Carroll
Dawn Carroll
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 13, 2022

Thank you for bringing this up on the Trust & Security Community.  Atlassian's security team is aware of this incident and we have followed security protocol to invalidate affected session tokens. Atlassian is conducting a comprehensive investigation, though our security team has not found evidence of a compromise within our systems or products. No customer action is required at this time. We will share another update once our investigation concludes.

Like
Andrew Gallagher
Andrew Gallagher
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 14, 2022

Hi Dawn,

Is this available somewhere as an official message/advice?

Thanks,

Andrew

Like
Dawn Carroll
Dawn Carroll
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 14, 2022

Hi Andrew.  The statement above is reiterated on a handful of news articles, see the one below in the UPDATE section: 

https://www.itworldcanada.com/article/atlassian-admins-warned-of-session-cookie-vulnerabilty/517864

 

Atlassian is working on further communications and I can add them to this thread once they are ready!  

Like
Kalin U
Kalin U
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 15, 2022

I saw that @Dan Hranj has recently posted this announcement in this community group: https://community.atlassian.com/t5/Trust-Security-articles/Atlassian-response-to-claims-regarding-session-tokens-cookies/ba-p/2217925.

In essence, Atlassians say:

Our security team did not find a vulnerability in Atlassian Cloud or On-Premise products or a breach of Atlassian systems related to the incident.

Like # people like this
Dawn Carroll
Dawn Carroll
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 15, 2022

Yes, thank you @Kalin U !  You beat me to it!  Thank you for putting it here!

Like Kalin U likes this
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events