Open techcutie opened 2 years ago
Is there any proof for this?
Atlassian's official communication says otherwise: https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
They are still investigating, but their preliminary analysis suggests that they think Jira/Confluence are not affected.
How does their communication say otherwise? - The article you linked says that the products i mentioned may be affected depending on individual configuration, and gives no evaluation on jira cloud at all.
Id have to ask my colleagues for proof or detailed findings, so far i just have the info that 2 of our Jira instances and one of our confluence instances are affected.
Just saying something is probably, doesn't make it so. Hearsay doesn't help anybody. If you file an issue it helps if you include at least some information. Yes, ask your colleagues. Atlassian probably is welcoming any responsible disclosure so they can better inform their customers.
The article you linked says that the products i mentioned may be affected depending on individual configuration, and gives no evaluation on jira cloud at all.
There's a huge difference between "are affected" and "may be affected". Virtually any Java application may be affected if 3rd party code is allowed through a modular (or plugin) architecture and somebody adds vulnerable 3rd party code to it. That doesn't mean that the product itself is vulnerable (i.e. by default). Your first comment in this PR is an oversimplification.
Id have to ask my colleagues for proof or detailed findings, so far i just have the info that 2 of our Jira instances and one of our confluence instances are affected.
Please, do so. Proof helps a lot.
FAQ KB from Atlassian itself is mixed:
https://confluence.atlassian.com/kb/faq-for-cve-2021-44228-1103069406.html
Atlassian Jira Server + Data center Atlassian Confluence Server + Data Center
are also affected