Bugcrowd security issue #1 on SQL Connector
Description
Environment
Observations
Activity
Adrien RagotSeptember 29, 2020 at 12:51 PM
Current status:
Discovered on Thursday 9pm,
The immediate vulnerability was closed within 4 hours,
Atlassian was notified within 4 hrs,
The users (i.e. the email on the licenses) were notified within 24hrs,
Many restrictions to avoid similar vulnerabilities were created in the following 3 days,
We've announced the end-of-life of the SQL Connector at the same time. There are many alternatives on the Atlassian Marketplace.
Adrien RagotSeptember 24, 2020 at 11:18 PMEdited
Current status:
Waiting for detailed information from the security researcher,
Writing the communication to customers, to publish tomorrow after collecting their contacts,
We'll need to investigate adjacent vulnerabilities.
Adrien RagotSeptember 24, 2020 at 11:04 PMEdited
The immediate vulnerability is fixed.
DB not accessible from the public.
Atlassian is informed.
App secret was changed, too.
Contents will be disclosed later.