Bugcrowd security issue #1 on SQL Connector

Description

Contents will be disclosed later.

Environment

None

Observations

None

Activity

Show:

Adrien RagotSeptember 29, 2020 at 12:51 PM

Current status:

  • Discovered on Thursday 9pm,

  • The immediate vulnerability was closed within 4 hours,

  • Atlassian was notified within 4 hrs,

  • The users (i.e. the email on the licenses) were notified within 24hrs,

  • Many restrictions to avoid similar vulnerabilities were created in the following 3 days,

  • We've announced the end-of-life of the SQL Connector at the same time. There are many alternatives on the Atlassian Marketplace.

Adrien RagotSeptember 24, 2020 at 11:18 PM
Edited

Current status:

  • Waiting for detailed information from the security researcher,

  • Writing the communication to customers, to publish tomorrow after collecting their contacts,

  • We'll need to investigate adjacent vulnerabilities.

Adrien RagotSeptember 24, 2020 at 11:04 PM
Edited

The immediate vulnerability is fixed.
DB not accessible from the public.
Atlassian is informed.
App secret was changed, too.

Unresolved

Details

Assignee

Reporter

Priority

Requirement Yogi

Created September 24, 2020 at 9:10 PM
Updated September 29, 2020 at 12:51 PM