You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've found a vulnerability in one or more of your add-ons, managed by the vendor at this email address. It lets an attacker overwrite the shared secret for an existing installation by crafting a malicious install callback. This will break the add-on on the targeted host product. It will also enable the attacker to sign JWTs with the new secret to authenticate with the add-on service and access protected data for that installation.
Fixing the vulnerability:
After a connect add-on is installed on a host product for the first time, the host will secure every subsequent install callback using a JSON Web Token (JWT) signed with the existing shared secret (not the new shared secret in the request body). The JWT will be included in the Authorization header like so: Authorization: JWT signed.base64-encoded-jwt.goes-here
To fix the vulnerability, make sure that:
Install callback requests for existing installations have the Authorization: header
The JWT in the header is signed with the existing shared secret from the previous registration.
The shared secret is updated to the new shared secret in the payload once the install callback has been verified (because the client will sign JWTs with the new secret from that point on).
You can test your fix using the attached python script (there are two versions: one for python 2.7 and one for python 3.5). The script attempts the shared secret overwrite against a specially-prepared test host, so will not affect your customers.
Thanks again for developing with Atlassian Connect, and please let us know if you have any questions.
Regards,
The Atlassian Connect Team
PS. Your add-on appeared not to be using the atlassian-connect-express framework. If it is using atlassian-connect-express, please simply update to version 1.0.9 of the library.
The text was updated successfully, but these errors were encountered:
Dear Atlassian Connect vendor,
We've found a vulnerability in one or more of your add-ons, managed by the vendor at this email address. It lets an attacker overwrite the shared secret for an existing installation by crafting a malicious install callback. This will break the add-on on the targeted host product. It will also enable the attacker to sign JWTs with the new secret to authenticate with the add-on service and access protected data for that installation.
Fixing the vulnerability:
After a connect add-on is installed on a host product for the first time, the host will secure every subsequent install callback using a JSON Web Token (JWT) signed with the existing shared secret (not the new shared secret in the request body). The JWT will be included in the
Authorization
header like so:Authorization: JWT signed.base64-encoded-jwt.goes-here
To fix the vulnerability, make sure that:
Install callback requests for existing installations have the Authorization: header
The JWT in the header is signed with the existing shared secret from the previous registration.
The shared secret is updated to the new shared secret in the payload once the install callback has been verified (because the client will sign JWTs with the new secret from that point on).
You can test your fix using the attached python script (there are two versions: one for python 2.7 and one for python 3.5). The script attempts the shared secret overwrite against a specially-prepared test host, so will not affect your customers.
Thanks again for developing with Atlassian Connect, and please let us know if you have any questions.
Regards,
The Atlassian Connect Team
PS. Your add-on appeared not to be using the atlassian-connect-express framework. If it is using atlassian-connect-express, please simply update to version 1.0.9 of the library.
The text was updated successfully, but these errors were encountered: