CVE-2021-26077

Name of the Vulnerable Software and Affected Versions Atlassian Connect Spring Boot versions 1.1.0 through 2.1.3 Atlassian Connect Spring Boot versions 2.1.4 through 2.1.5

Description The issue concerns Atlassian Connect Spring Boot, a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. However, Atlassian Connect Spring Boot erroneously accepts context JWTs in lifecycle endpoints, such as installation, where only server-to-server JWTs should be accepted. This allows an attacker to send authenticated re-installation events to an app.

Recommendations For Atlassian Connect Spring Boot versions 1.1.0 through 2.1.3, update to version 2.1.3 or later. For Atlassian Connect Spring Boot versions 2.1.4 through 2.1.5, update to version 2.1.5 or later. As a temporary workaround, consider restricting access to lifecycle endpoints, such as installation, to minimize the risk of exploitation.