Atlassian has remedied a chain of vulnerabilities disclosed to the Australian collaborative software package vendor, which could be applied to take above accounts and manage applications on its domains.
Protection vendor Look at Level Software program ended up ready to bypass protective measures for Atlassian’s Solitary Sign-On (SSO) method these kinds of as Content Protection Coverage in website browsers, and SameSite Strict and HTTPOnly marked cookies with access limits.
Look at Level uncovered that the coaching.atlassian.com subdomain’s CSP was configured poorly and permitted script execution.
By combining cross-website scripting and request forgery (XSS and CSRF) researchers ended up ready to inject a malicious payload into the Atlassian coaching sites purchasing cart which permitted them to accomplish actions as the goal user.
To get the user’s session cookie, the Look at Level researchers deployed a cookie fixation assault.
This pressured the use of a cookie regarded to the attacker, and which grew to become authenticated and in turn bypassed the HTTPOnly restriction and permitted the account hijacking.
From the Atlassian coaching website, the researchers ended up ready to pivot to accounts on Jira, Confluence, and other subdomains operated by the Australian vendor.
The researchers ended up also ready to use the hijacked Jira account to break into Bitbucket code repositories.
A offer-chain assault that accesses an organisation’s Bitbucket repository is significantly dangerous as it could lead to altered resource code staying implanted to disseminate malware or backdoors.