Cybersecurity scientists on Wednesday disclosed critical flaws in the Atlassian job and computer software development platform that could be exploited to get in excess of an account and regulate some of the applications linked by its one indicator-on (SSO) functionality.
“With just one particular click, an attacker could have made use of the flaws to get obtain to Atlassian’s publish Jira process and get sensitive details, this sort of as protection troubles on Atlassian cloud, Bitbucket and on premise products,” Test Issue Study claimed in an analysis shared with The Hacker News.
Just after the difficulties have been reported to Atlassian on Jan. 8, 2021, the Australian enterprise deployed a take care of as portion of its updates rolled out on May possibly 18. The sub-domains influenced by the flaws include –
Thriving exploitation of these flaws could outcome in a offer-chain assault wherein an adversary can just take over an account, employing it to accomplish unauthorized steps on behalf of the victim, edit Confluence pages, accessibility Jira tickets, and even inject malicious implants to stage additional attacks down the line.
The weaknesses hinge on the reality that Atlassian utilizes SSO to be certain seamless navigation involving the aforementioned domains, therefore developing a likely assault situation that requires injecting destructive code into the system applying XSS and CSRF, adopted by leveraging a session fixation flaw to hijack a legitimate user session and get regulate of an account.
In other phrases, an attacker can trick a user into clicking on a specifically-crafted Atlassian connection in get to execute a malicious payload that steals the user’s session, which can then be used by the bad actor to log in to the victim’s account and attain sensitive details.
What’s much more, armed with the Jira account, the attacker can progress to obtain control of a Bitbucket account by opening a Jira ticket embedded with a malicious url to a rogue web-site that, when clicked from an auto-produced e-mail concept, could be employed to pilfer the credentials, efficiently granting them permissions to access or alter supply code, make the repository community, or even insert backdoors.
“Source chain assaults have piqued our fascination all 12 months, at any time due to the fact the SolarWinds incident. The platforms from Atlassian are central to an organization’s workflow,” said Oded Vanunu, head of products vulnerabilities exploration at Look at Stage. “An extraordinary amount of provide chain information and facts flows by means of these apps, as effectively as engineering and challenge administration.”
“In a planet in which dispersed workforces significantly count on remote technologies, it is really essential to assure these systems have the greatest defenses from malicious data extraction,” Vanunu extra.