Early in 2021, Check Point Research provided Atlassian with the details of several vulnerabilities affecting a limited number of web applications that Atlassian uses to support customers and partners. The reported vulnerabilities did not affect Atlassian Cloud products (like Jira, Confluence, or Bitbucket Cloud) or Atlassian’s on-premise products (like Jira, Confluence, or Bitbucket Server and Data Center).
The first vulnerability, known as session fixation, affected four public-facing applications run by Atlassian for customer and partner support (jira.atlassian.com, confluence.atlassian.com, getsupport.atlassian.com, and partners.atlassian.com). Exploiting this vulnerability successfully would require an attacker to identify and exploit a second separate security vulnerability in order to set the targeted user’s session cookie to a specific attacker-controlled value. After investigating, Atlassian engineers identified the source of the vulnerability as a custom single sign-on plugin; not the Jira or Confluence products themselves. A fix has been deployed and the affected systems are no longer vulnerable.
The additional vulnerabilities contained in the report were related to a training platform (training.atlassian.com), developed and hosted by a third party, that Atlassian utilized to provide training to customers on how to use products like Jira and Confluence. The vulnerabilities included a session fixation vulnerability, a cross-site request forgery (CSRF) vulnerability, and a cross-site scripting vulnerability (XSS) which could allow an attacker to take over a user’s Atlassian Training session if they were able to successfully get the targeted user to visit an attacker-controlled web page (typically via a phishing email). Atlassian notified the vendor who operates the training platform and they have deployed fixes for all of the vulnerabilities reported.
When chained together, these vulnerabilities could have allowed an attacker to impersonate the targeted user to the Atlassian applications affected by the first vulnerability after getting the targeted user to click a link in a specially crafted phishing email message designed to exploit the vulnerabilities in the Atlassian Training application. Once exploited, an attacker’s access would still be limited to the affected systems and would not be able to access customer Jira, Confluence, or Bitbucket Cloud data. All of the reported vulnerabilities have been patched and we will continue to monitor this issue and update any impacted customers if we have new information to share.
Atlassian encourages customers, partners, and security researchers to report security vulnerabilities through our bug bounty program, email, or customer support portal. For more information, see Report a Vulnerability.
For more information on Atlassian’s security practices, visit our Trust Center.