CVE-2021-26074: 
Java vulnerability analysis and mitigation

CVE-2021-26074 is a critical authentication vulnerability in Atlassian Connect Spring Boot (ACSB), a Java Spring Boot package for building Atlassian Connect apps. The vulnerability was discovered and disclosed in April 2021, affecting versions 1.1.0 through 2.1.2. The issue allows authentication bypass where the system erroneously accepts context JWTs in lifecycle endpoints where only server-to-server JWTs should be accepted (Atlassian Advisory).

The vulnerability stems from a flaw in the authentication mechanism where Atlassian Connect Spring Boot versions between 1.1.0 - 2.1.2 incorrectly accept context JWTs in lifecycle endpoints (such as installation) instead of only accepting server-to-server JWTs. The vulnerability has been assigned a CVSS v3 score of 9.1, indicating Critical severity. The attack vector is Network-based, with Low attack complexity and Low privileges required, requiring No user interaction (Atlassian Advisory).

The vulnerability has significant impact metrics with High Confidentiality impact and Low Integrity and Availability impacts. The scope is considered Changed, indicating that the vulnerability can affect resources beyond its security scope (Atlassian Advisory).

The vulnerability was fixed in Atlassian Connect Spring Boot version 2.1.3. However, version 2.1.4 regressed on the fix, so users should upgrade to version 2.1.5 or later. Organizations must add a new context-qsh element to the apiMigrations section of the app descriptor and update endpoints designed to work with context JWTs to accept a static qsh of context-qsh (Developer Community).