Vulnerabilities that could allow for XSS, CSRF, and one-simply click account takeovers in Atlassian subdomains have been patched.
On Thursday, Check Stage Study (CPR) said that the bugs were uncovered in the software package solutions provider’s on the web domains, used by countless numbers of enterprise purchasers all over the world.
The Australian seller is the service provider of equipment including Jira, a challenge management technique, and Confluence, a doc collaboration system for distant groups.
The vulnerabilities in question have been observed in a quantity of Atlassian-preserved web sites, fairly than on-prem or cloud-based Atlassian items.
Subdomains below atlassian.com, such as companions, developer, help, Jira, Confluence, and education.atlassian.com had been vulnerable to account takeover.
CPR explained that exploit code making use of the vulnerabilities in the subdomains could be deployed by means of a sufferer clicking on a malicious link. A payload would then be sent on behalf of the sufferer and a user session would be stolen.
The susceptible domain challenges bundled a badly-configured Articles Security Plan (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly system bypass, and a weak place that authorized cookie fixation — the alternative for attackers to drive consumers to use session cookies acknowledged to them for authentication functions.
The scientists say that it was probable to consider around accounts obtainable by these subdomains by cross-internet site scripting (XSS) and cross-site ask for forgery (CSRF) assaults. In addition, the susceptible domains also allowed danger actors to compromise periods between the customer and world wide web server when a consumer logged into their account.
“With just one particular click on, an attacker could have utilised the flaws to choose in excess of accounts and manage some of Atlassian’s apps, like Jira and Confluence,” the researchers claimed.
The ramifications of these attacks involved account hijacking, data theft, steps currently being executed on behalf of a user, and obtaining obtain to Jira tickets.
Atlassian was educated of the team’s results on January 8, prior to community disclosure. A fix for the impacted domains was deployed on May well 18.
Atlassian informed ZDNet:
“Based mostly on our investigation, the vulnerabilities outlined effect a confined established of Atlassian-owned net purposes as well as a 3rd-occasion education system. Atlassian has shipped patches to tackle these difficulties and none of these vulnerabilities impacted Atlassian Cloud (like Jira or Confluence Cloud) or on-premise goods (like Jira Server or Confluence Server).”
The study into Atlassian was done by CPR owing to the ongoing difficulties encompassing provide chain attacks, in which threat actors will goal a centralized useful resource applied by other corporations.
If this component can be compromised — this sort of as by tampering with update code due to be pushed out to consumers in the circumstance of Codecov — then a broader pool of possible victims can be reached with tiny energy.
SolarWinds, also, is a primary instance of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds consumers received a destructive SolarWinds Orion computer software update that planted a backdoor into their units having said that, the attackers cherry-picked a handful of victims for further more compromise, which include Microsoft, FireEye, and a amount of federal organizations.
Earlier and associated coverage
Have a suggestion? Get in touch securely via WhatsApp | Sign at +447713 025 499, or more than at Keybase: charlie0