CVE-2021-26073 - Vulnerability Details - OpenCVE

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Atlassian	Connect Express

Configuration 1 [-]

cpe:2.3:a:atlassian:connect_express:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072
https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099
https://security.netapp.com/advisory/ntap-20210604-0004/

History

Wed, 12 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2021-04-16T03:00:19.147Z

Updated: 2025-02-12T20:46:54.554Z

Reserved: 2021-01-25T00:00:00.000Z

Link: CVE-2021-26073

Vulnrichment

Updated: 2024-08-03T20:19:19.387Z

NVD

Status : Modified

Published: 2021-04-16T03:15:12.033

Modified: 2025-02-12T21:15:10.297

Link: CVE-2021-26073

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Atlassian Connect Express (ACE)", "vendor": "Atlassian", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "3.0.2", "versionType": "custom"}, {"lessThan": "6.6.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-04-13T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}], "problemTypes": [{"descriptions": [{"description": "Broken Authentication", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-23T03:45:13.000Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099"}, {"tags": ["x_refsource_MISC"], "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210604-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2021-04-13T00:00:00", "ID": "CVE-2021-26073", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Atlassian Connect Express (ACE)", "version": {"version_data": [{"version_affected": ">=", "version_value": "3.0.2"}, {"version_affected": "<", "version_value": "6.6.0"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Broken Authentication"}]}]}, "references": {"reference_data": [{"name": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099", "refsource": "MISC", "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099"}, {"name": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a[\u2026]ypass-of-app-qsh-verification-via-context-jwts/47072", "refsource": "MISC", "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a[\u2026]ypass-of-app-qsh-verification-via-context-jwts/47072"}, {"name": "https://security.netapp.com/advisory/ntap-20210604-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210604-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.387Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210604-0004/"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T20:41:50.927822Z", "id": "CVE-2021-26073", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:46:54.554Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2021-26073", "datePublished": "2021-04-16T03:00:19.147Z", "dateReserved": "2021-01-25T00:00:00.000Z", "dateUpdated": "2025-02-12T20:46:54.554Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210604-0004/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:19.387Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-26073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T20:41:50.927822Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:38:28.667Z"}}], "cna": {"affected": [{"vendor": "Atlassian", "product": "Atlassian Connect Express (ACE)", "versions": [{"status": "affected", "version": "3.0.2", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "6.6.0", "versionType": "custom"}]}], "datePublic": "2021-04-13T00:00:00.000Z", "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099", "tags": ["x_refsource_MISC"]}, {"url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20210604-0004/", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Broken Authentication"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2022-02-23T03:45:13.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "3.0.2", "version_affected": ">="}, {"version_value": "6.6.0", "version_affected": "<"}]}, "product_name": "Atlassian Connect Express (ACE)"}]}, "vendor_name": "Atlassian"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099", "name": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099", "refsource": "MISC"}, {"url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a[\u2026]ypass-of-app-qsh-verification-via-context-jwts/47072", "name": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a[\u2026]ypass-of-app-qsh-verification-via-context-jwts/47072", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20210604-0004/", "name": "https://security.netapp.com/advisory/ntap-20210604-0004/", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Broken Authentication"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-26073", "STATE": "PUBLIC", "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2021-04-13T00:00:00"}}}}, "cveMetadata": {"cveId": "CVE-2021-26073", "state": "PUBLISHED", "dateUpdated": "2025-02-12T20:46:54.554Z", "dateReserved": "2021-01-25T00:00:00.000Z", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2021-04-16T03:00:19.147Z", "assignerShortName": "atlassian"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:connect_express:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AB2C8D0B-0934-4D8E-86D9-BCEB48094866", "versionEndExcluding": "6.6.0", "versionStartIncluding": "3.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions from 3.0.2 before 6.6.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app."}, {"lang": "es", "value": "Autenticaci\u00f3n rota en Atlassian Connect Express (ACE) desde la versi\u00f3n 3.0.2 versiones anteriores a 6.6.0: Atlassian Connect Express es un paquete Node.js para construir aplicaciones de Atlassian Connect. La autenticaci\u00f3n entre los productos de Atlassian y la aplicaci\u00f3n Atlassian Connect Express se produce con un JWT de servidor a servidor o un JWT de contexto. Las versiones de Atlassian Connect Express desde la 3.0.2 versiones anteriores a 6.6.0 aceptan err\u00f3neamente JWTs de contexto en los puntos finales del ciclo de vida (como la instalaci\u00f3n) cuando solo deber\u00edan aceptarse JWTs de servidor a servidor, lo que permite a un atacante enviar eventos de reinstalaci\u00f3n autenticados a una aplicaci\u00f3n"}], "id": "CVE-2021-26073", "lastModified": "2025-02-12T21:15:10.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-04-16T03:15:12.033", "references": [{"source": "security@atlassian.com", "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072"}, {"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099"}, {"source": "security@atlassian.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210604-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-a%5B%E2%80%A6%5Dypass-of-app-qsh-verification-via-context-jwts/47072"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210604-0004/"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}