Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
References
Configurations
History
01 Mar 2022, 16:25
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-287 |
23 Feb 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app. |
23 Apr 2021, 16:39
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 6.5 |
CPE | cpe:2.3:a:atlassian:connect_spring_boot:*:*:*:*:*:*:*:* | |
References | (N/A) https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106 - Vendor Advisory | |
References | (N/A) https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072 - Vendor Advisory | |
CWE | CWE-863 |
16 Apr 2021, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-04-16 03:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-26074
Mitre link : CVE-2021-26074
CVE.ORG link : CVE-2021-26074
JSON object : View
Products Affected
atlassian
- connect_spring_boot
CWE
CWE-287
Improper Authentication