CVE-2021-26074

Published: Apr 16, 2021

Modified: Feb 12, 2025

PUBLISHED

Description

Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.

Vendor	Product	Versions
Atlassian	Atlassian Connect Spring Boot (ACSB)	affected `1.1.0 - < unspecified` affected `unspecified - < 2.1.3`

References

https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106

x_refsource_MISC

https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-26074

Description

Affected Products

References