CVE-2021-26073

Опубликовано: 16 апр. 2021

Источник: nvd

CVSS3: 7.7

CVSS2: 4

EPSS Низкий

Описание

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.

Ссылки

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:atlassian:connect_express:*:*:*:*:*:node.js:*:*

Версия от 3.0.2 (включая) до 6.6.0 (исключая)

EPSS

Процентиль: 56%

0.00343

Низкий

7.7 High

CVSS3

4 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

GHSA-4v96-m8xv-x83v