Atlassian has remedied a chain of vulnerabilities disclosed to the Australian collaborative software seller, which could be utilized to choose in excess of accounts and regulate applications on its domains.
Security seller Check Position Program had been capable to bypass protective actions for Atlassian’s One Signal-On (SSO) technique these kinds of as Information Security Coverage in internet browsers, and SameSite Rigid and HTTPOnly marked cookies with accessibility limitations.
Check Position uncovered that the training.atlassian.com subdomain’s CSP was configured improperly and authorized script execution.
By combining cross-web page scripting and ask for forgery (XSS and CSRF) researchers had been capable to inject a destructive payload into the Atlassian training sites shopping cart which authorized them to carry out steps as the target consumer.
To get the user’s session cookie, the Check Position researchers deployed a cookie fixation attack.
This forced the use of a cookie identified to the attacker, and which became authenticated and in transform bypassed the HTTPOnly restriction and authorized the account hijacking.
From the Atlassian training web page, the researchers had been capable to pivot to accounts on Jira, Confluence, and other subdomains operated by the Australian seller.
The researchers had been also capable to use the hijacked Jira account to break into Bitbucket code repositories.
A provide-chain attack that accesses an organisation’s Bitbucket repository is specifically dangerous as it could direct to altered source code currently being implanted to disseminate malware or backdoors.