Atlassian scrambles to close its second security hole in a week

Sergei SHAKHIJANIAN / AFP / Getty Images

Australian tech giant Atlassian was forced to deal with its second security flaw this week, putting out a fix for its corporate information sharing system Confluence.

The bug sees certain versions of Confluence allow anyone to view what are supposed to be internal company blogs and pages hosted on the system.

“Attackers who can access the Confluence web interface of a vulnerable version can use this vulnerability to obtain the content of all blogs and pages inside Confluence provided that they first enumerate page or draft ids,” said the Atlassian security advisory.

Confluence. (Source: Atlassian)

The discovery comes after Atlassian’s popular business chat app HipChat earlier this week was affected by a “security incident” that saw user data accessed by an unauthorised attacker. That issue saw all users instructed to reset their passwords as a precaution and an urgent patch released. The company also contacted “law enforcement authorities” to investigate.

Atlassian cites big-name corporations like NASA, Spotify and Lufthansa as users of the Confluence collaboration software. The software provider did not mention whether any customers had detected unauthorised intrusions into their systems.

Customers affected by the high severity problem can eliminate it by upgrading to Confluence version 6.0.7 or 6.0.10.

An Atlassian spokesperson told Business Insider that the two incidents were unrelated.

“We regularly publish security patches and improvements produced through our application security program. We take our security bug fix policy very seriously and all bugs are tracked against internal resolution SLAs,” the spokesperson said.