diff --git a/2021/26xxx/CVE-2021-26077.json b/2021/26xxx/CVE-2021-26077.json index 622e8638e43..cdb685259c7 100644 --- a/2021/26xxx/CVE-2021-26077.json +++ b/2021/26xxx/CVE-2021-26077.json @@ -1,77 +1,81 @@ { - "CVE_data_meta": { - "ASSIGNER": "security@atlassian.com", - "DATE_PUBLIC": "2021-05-07T12:00:00", - "ID": "CVE-2021-26077", - "STATE": "PUBLIC" - }, - "affects": { - "vendor": { - "vendor_data": [ - { - "product": { - "product_data": [ - { - "product_name": "Atlassian Connect Spring Boot (ACSB)", - "version": { - "version_data": [ - { - "version_value": "1.1.0", - "version_affected": ">=" - }, - { - "version_value": "2.1.3", - "version_affected": "<" - }, - { - "version_value": "2.1.4", - "version_affected": ">=" - }, - { - "version_value": "2.1.5", - "version_affected": "<" - } - ] - } - } - ] - }, - "vendor_name": "Atlassian" - } - ] - } - }, - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ - { - "lang": "eng", - "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions 1.1.0 before 2.1.3 and versions 2.1.4 before 2.1.5 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app." - } - ] - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "Broken Authentication" - } + "CVE_data_meta": { + "ASSIGNER": "security@atlassian.com", + "DATE_PUBLIC": "2021-05-07T12:00:00", + "ID": "CVE-2021-26077", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Atlassian Connect Spring Boot (ACSB)", + "version": { + "version_data": [ + { + "version_value": "1.1.0", + "version_affected": ">=" + }, + { + "version_value": "2.1.3", + "version_affected": "<" + }, + { + "version_value": "2.1.4", + "version_affected": ">=" + }, + { + "version_value": "2.1.5", + "version_affected": "<" + } + ] + } + } + ] + }, + "vendor_name": "Atlassian" + } ] - } - ] - }, - "references": { - "reference_data": [ - { - "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147" - }, - { - "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072" - } - ] - } -} + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Spring Boot versions 1.1.0 before 2.1.3 and versions 2.1.4 before 2.1.5 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Broken Authentication" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072", + "refsource": "MISC", + "name": "https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072" + }, + { + "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147", + "refsource": "MISC", + "name": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1063555147" + } + ] + } +} \ No newline at end of file