CVE-2021-26077

Published: May 9, 2021

Modified: Feb 12, 2025

PUBLISHED

Description

Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions 1.1.0 before 2.1.3 and versions 2.1.4 before 2.1.5 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.

Vendor	Product	Versions
Atlassian	Atlassian Connect Spring Boot (ACSB)	affected `1.1.0 - < unspecified` affected `unspecified - < 2.1.3` affected `2.1.4 - < unspecified` affected `unspecified - < 2.1.5`

References

https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072

x_refsource_MISC

https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-26077

Description

Affected Products

References