Atlassian vulnerability information accidentally published on Twitter

The SwiftOnSecurity Twitter page accidentally published information about a previously unknown vulnerability in an Atlassian product. This flaw that may be echoed in IBM’s Aspera software.

Confluence connects to its companion application through a browser using the domain https://atlassian-domain-for-localhost-connections-only.com.

Read also: Google released December patches for Android, which fixed dozens of vulnerabilities

The problem is that anyone with sufficient knowledge can copy the SSL key, use it to perform a “man in the middle” attack and redirect application traffic to a malicious site.

According to Google’s security engineer Tavis Ormandy, any application user can be targeted.

“You just can take the key, and nothing will stop you from providing rights on this domain to anything else besides localhost. Therefore, there is no guarantee that you are connecting to a trusted local and not a malicious service”, – Ormandy explained.

In the Twitter discussion, Tim Stone, a moderator for StackApps, observed that IBM’s Aspera plugin client uses a similar server scheme, local.connectme.us, for client-server communication.

“That has the potential to be even worse. There’s a pre-generated CA certificate and a private key, if they add that to the system store, they’re effectively disabling SSL. I would consider that *critical*”, — wrote Tim Stone.

Vulnerability received identifier CVE-2019-15006.

Work on the bugs:

SwiftOnSecurity notified Atlassian of the problem, and the manufacturer is currently working on fixing it.After the story was filed, an IBM spokesperson responded by noting that the tech giant issued a security bulletin for denial of service vulnerability affecting Aspera Connect 3.7 and 3.8 back in June.

“We left the local.connectme.us in for backward compatibility while customers continue to upgrade their environments”, – the spinner explained.