CVE-2021-26073: 
JavaScript vulnerability analysis and mitigation

Atlassian Connect Express (ACE), a Node.js package for building Atlassian Connect apps, was found to contain a broken authentication vulnerability identified as CVE-2021-26073. The vulnerability affects versions 3.0.2 through 6.5.0, where the system erroneously accepts context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted. This vulnerability was discovered and disclosed in early 2021, with a fix released in version 6.6.0 (Atlassian Security).

The vulnerability stems from the authentication mechanism between Atlassian products and the Atlassian Connect Express app, which uses two types of JWT tokens: server-to-server JWT and context JWT. The flaw allows context JWTs to be accepted in lifecycle endpoints where only server-to-server JWTs should be permitted, potentially enabling attackers to send authenticated re-installation events to an app. The vulnerability has been assigned a CVSS v3 score of 9.1 (Critical), with attack vector being Network, attack complexity Low, and requiring Low privileges with No user interaction (Atlassian Security, NetApp Security).

Successful exploitation of this vulnerability could allow an attacker to send authenticated re-installation events to an app, potentially leading to unauthorized data modification and compromised application security. The vulnerability affects the confidentiality (High), integrity (Low), and availability (Low) of the system (Atlassian Security).

The primary mitigation is to upgrade to Atlassian Connect Express version 6.6.0 or higher. Organizations using affected versions must update their applications to ensure proper authentication handling. Additionally, developers need to add a new context-qsh element to the apiMigrations section of the app descriptor and update their app endpoints that are designed to work with context JWTs to accept a static qsh of context-qsh (Atlassian Developer).

The vulnerability received significant attention in the Atlassian developer community, leading to detailed discussions and guidance on implementation of the fixes. Atlassian actively communicated with developers through their community forums and provided comprehensive documentation for remediation (Atlassian Developer).