Christian Flaßkamp

**Name of the Vulnerable Software and Affected Versions** Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket versions 3.1.4.5 and earlier **Description** The issue allows remote attackers to bypass 2-factor authentication by interacting with the "/rest" endpoint of Jira, Confluence, or Bitbucket. In the default configuration, "/rest" is allowlisted. **Recommendations** For versions 3.1.4.5 and earlier, consider restricting access to the "/rest" endpoint as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket versions 3.1.4.5 and earlier **Description** The issue allows remote attackers to easily brute-force the 2FA PIN via the "plugins/servlet/twofactor/public/pinvalidation" endpoint. The last 30 and the next 30 tokens are valid. **Recommendations** For versions 3.1.4.5 and earlier, as a temporary workaround, consider restricting access to the "plugins/servlet/twofactor/public/pinvalidation" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.