[CONFSERVER-20508] Secure Administrator Sessions feature can be bypassed

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 3.3.1, 3.4
Affects Version/s: 3.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3.

This would allow an attacker to perform administrative functions on Confluence using a hijacked session without having to re-authenticate.

This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/VgozDQ for information on other security related issue and more information on how we rate issues.

No work has yet been logged on this issue.

Assignee:: Joe Clark

Reporter:: Joe Clark

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 02/Aug/2010 5:14 AM

Updated:: 11/Oct/2018 8:43 AM

Resolved:: 02/Aug/2010 5:17 AM

Details

Description

Attachments

Forms

Activity

People

Dates