Seems like the vulnerability is that hidden characters can be added to code, which will not show up in the web interfaces of the products affected (JIRA, Confluence, Bitbucket, Bamboo, pretty much the whole Atlassian suite).
> A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
I guess you could potentially sneak in code without anyone noticing. You'd have to have commit access to exploit this, though, I suppose.
At least this one does not turn every Confluence server in the world into a crypto miner, like the one a couple of months ago :/.
That time Atlassian refused to let us upgrade our servers unless we renewed our license (a year old), since they no longer sell or support the on-premise versions of their products. Felt a bit taken hostage there.
4 comments
[ 0.20 ms ] story [ 36.1 ms ] thread> A vulnerability has been identified affecting multiple Atlassian products where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter.
I guess you could potentially sneak in code without anyone noticing. You'd have to have commit access to exploit this, though, I suppose.
That time Atlassian refused to let us upgrade our servers unless we renewed our license (a year old), since they no longer sell or support the on-premise versions of their products. Felt a bit taken hostage there.