Description
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
Affected products
- Atlassian / Atlassian Connect Express (ACE)3.0.2 – unspecified
- Atlassian / Atlassian Connect Express (ACE)unspecified – 6.6.0
References
- MISChttps://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099
- MISChttps://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072
- MISChttps://security.netapp.com/advisory/ntap-20210604-0004/