Security researchers from the software company 42 revealed a vulnerability in the Atlassian OAuth plugin last year that enabled unauthorized execution of HTTP GET requests from the server.
Though the bug was fixed in March 2017, it is still leaving major companies at risk. According to security researcher Robbie Williams, the vulnerable OAuth plugin can be found in software like Jira and Confluence, and if it is hosted on AWS it can retrieve metadata and in some cases the IAM role AWS keys.
In addition, Williams explained
hackers could also retrieve a root password or a token depending on the setup.
The reason why this bug still poses a danger after months of disclosure
because companies are not updating their Atlassian software. “This vulnerability is not new and was fixed in March 2017,”
a spokesperson from Atlassian said. “As always,
we recommend that our customers upgrade to the most recent version of our server products to ensure they have the latest features and fixes. In this case, it’s especially important for those customers who host Atlassian server products on AWS cloud instances. This vulnerability does not impact customers using cloud versions of Atlassian products, those who upgraded server versions, and those that do not host server versions on AWS cloud.
We encourage security researchers to submit vulnerabilities to our public bug bounty program.”
Read more here : sdtimes.com
Thank you for Reading and show some support to this guy @regalsoldier right here , if you like my work consider upvotes and resteem.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://sdtimes.com/security/vulnerable-oauth-plugin-leaves-a-number-of-companies-at-risk/
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit