Action required: Atlassian Connect vulnerability allows bypass of app qsh verification via context JWTs

@HeyJoe if I update my app descriptor and its URL remains the same, I just have added a new parameter. Should I create a new version of my app in the Marketplace vendor management section? Or new descriptor will be automatically updated by Marketplace?

The Atlassian Marketplace should spot the difference, via polling your descriptor, and make a minor version bump. If that does not happen automatically then you can always perform the change manually.

If I only received webhooks from JIRA after the installation do I only need to add the new field to my descriptor or must I validate the qsh I received in the webhook jwt?

If the requests I make to the JIRA rest API already contain a qsh in the jwt do I need to do anything more?

Hi everyone,

Please note the update to this announcement dated today (May 7 2021) - If your app is using Atlassian Connect Spring Boot, please upgrade to Atlassian Connect Spring Boot 2.1.5 or later, 2.1.4 regressed on the fix introduced in 2.1.3.

Sorry for the confusion!

Hi @MichaelRichardson ,

Because webhook requests to your app are signed with a JWT that includes a qsh claim, you must do both: Add the new field to your descriptor and validate the JWT including the qsh claim in your webhook request handler.

This vulnerability relates to authenticated JWT requests that Atlassian sends to your app, not authenticated JWT requests that your app sends to Atlassian.