CVE-2021-26074 - Vulnerability Details - OpenCVE

Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Atlassian	Connect Spring Boot

Configuration 1 [-]

cpe:2.3:a:atlassian:connect_spring_boot:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072
https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106

History

Wed, 12 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2021-04-16T03:00:19.829Z

Updated: 2025-02-12T20:52:01.324Z

Reserved: 2021-01-25T00:00:00.000Z

Link: CVE-2021-26074

Vulnrichment

Updated: 2024-08-03T20:19:20.044Z

NVD

Status : Modified

Published: 2021-04-16T03:15:12.113

Modified: 2025-02-12T21:15:10.530

Link: CVE-2021-26074

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Atlassian Connect Spring Boot (ACSB)", "vendor": "Atlassian", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "1.1.0", "versionType": "custom"}, {"lessThan": "2.1.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-04-13T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}], "problemTypes": [{"descriptions": [{"description": "Broken Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-23T03:45:15.000Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106"}, {"tags": ["x_refsource_MISC"], "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2021-04-13T00:00:00", "ID": "CVE-2021-26074", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Atlassian Connect Spring Boot (ACSB)", "version": {"version_data": [{"version_affected": ">=", "version_value": "1.1.0"}, {"version_affected": "<", "version_value": "2.1.3"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Broken Authentication"}]}]}, "references": {"reference_data": [{"name": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106", "refsource": "MISC", "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106"}, {"name": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072", "refsource": "MISC", "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:20.044Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T20:51:32.887613Z", "id": "CVE-2021-26074", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:52:01.324Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2021-26074", "datePublished": "2021-04-16T03:00:19.829Z", "dateReserved": "2021-01-25T00:00:00.000Z", "dateUpdated": "2025-02-12T20:52:01.324Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:20.044Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-26074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T20:51:32.887613Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:51:24.140Z"}}], "cna": {"affected": [{"vendor": "Atlassian", "product": "Atlassian Connect Spring Boot (ACSB)", "versions": [{"status": "affected", "version": "1.1.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "2.1.3", "versionType": "custom"}]}], "datePublic": "2021-04-13T00:00:00.000Z", "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106", "tags": ["x_refsource_MISC"]}, {"url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Broken Authentication"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2022-02-23T03:45:15.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.1.0", "version_affected": ">="}, {"version_value": "2.1.3", "version_affected": "<"}]}, "product_name": "Atlassian Connect Spring Boot (ACSB)"}]}, "vendor_name": "Atlassian"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106", "name": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106", "refsource": "MISC"}, {"url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072", "name": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Broken Authentication"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-26074", "STATE": "PUBLIC", "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2021-04-13T00:00:00"}}}}, "cveMetadata": {"cveId": "CVE-2021-26074", "state": "PUBLISHED", "dateUpdated": "2025-02-12T20:52:01.324Z", "dateReserved": "2021-01-25T00:00:00.000Z", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2021-04-16T03:00:19.829Z", "assignerShortName": "atlassian"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:connect_spring_boot:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AA2CBC2-F9F4-4F3C-8446-D995F1D8AE2E", "versionEndExcluding": "2.1.3", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions from version 1.1.0 before version 2.1.3 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}, {"lang": "es", "value": "Autenticaci\u00f3n rota en Atlassian Connect Spring Boot (ACSB) desde la versi\u00f3n 1.1.0 versiones anteriores a 2.1.3: Atlassian Connect Spring Boot es un paquete Java Spring Boot para crear aplicaciones de Atlassian Connect. La autenticaci\u00f3n entre los productos de Atlassian y la aplicaci\u00f3n Atlassian Connect Spring Boot se produce con un JWT de servidor a servidor o un JWT de contexto. Las versiones de Atlassian Connect Spring Boot desde la versi\u00f3n 1.1.0 versiones anteriores a 2.1.3 aceptan err\u00f3neamente JWTs de contexto en los puntos finales del ciclo de vida (como la instalaci\u00f3n) cuando solo deber\u00edan aceptarse JWTs de servidor a servidor, lo que permite a un atacante enviar eventos de reinstalaci\u00f3n autenticados a una aplicaci\u00f3n"}], "id": "CVE-2021-26074", "lastModified": "2025-02-12T21:15:10.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-04-16T03:15:12.113", "references": [{"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072"}, {"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986106"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}