Vulnerabilities that could allow XSS, CSRF and one-click account takeovers in Atlassian subdomains have been patched.
Atlassian, a platform used by 180,000 customers to engineer software and manage projects, could have been hijacked with a single click due to security flaws.
Cybersecurity researchers on Wednesday disclosed critical flaws in the Atlassian project and software development platform that could be exploited to take over an account and control some of the apps connected through its single sign-on (SSO) capability.
The vulnerabilities in question were found in several Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products.
After the issues were reported to Atlassian on Jan. 8, 2021, the Australian company deployed a fix as part of its updates rolled out on May 18. The sub-domains affected by the flaws include –
CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.
The Content Security Policy (CSP) was configured “poorly” on this subdomain, the researchers explained, with “unsafe-inline” and “unsafe-eval” directives, which allow script execution. This made the subdomain “a perfect starting point” for research, they said. They were able to exploit the XSS bug to snag all the cookies and the local storage of the target.
“With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence,” the researchers said.
“Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization’s workflow,” said Oded Vanunu, head of products vulnerabilities research at Check Point. “An incredible amount of supply chain information flows through these applications, as well as engineering and project management.”
SolarWinds, too, is a prime example of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds clients received a malicious SolarWinds Orion software update that planted a backdoor into their systems; however, the attackers cherry-picked a handful of victims for further compromise, including Microsoft, FireEye, and several federal agencies.