CVE-2024-48941

Vulnerability

The Syracom Secure Login (2FA) plugin versions through 3.1.4.5 for Jira, Confluence, and Bitbucket contain an insecure default configuration. Specifically, the /rest and /downloads URL endpoints are allowlisted in the default configuration, meaning REST API calls are not subject to 2FA. This allows any user or attacker with valid username and password to bypass the second factor [1]. The vulnerability affects all versions up to and including 3.1.4.5 for all three Atlassian products [1].

Exploitation

An attacker needs only valid credentials (username and password) for the target Atlassian instance. No special network position is required beyond normal access to the instance's REST API. The attacker interacts with the /rest endpoint (e.g., /rest/api/2/issue) which is allowlisted by default, thus bypassing the 2FA requirement entirely. The attacker can then perform any action the account is authorized for [1].

Impact

Successful exploitation allows an attacker to bypass the 2FA mechanism and access any REST API endpoints. This can lead to unauthorized access to sensitive information, manipulation of data, or further compromise of the Atlassian instance, depending on the permissions of the compromised account. The confidentiality, integrity, and availability of the instance are at risk [1].

Mitigation

As of the advisory release (September 16, 2024), the fixed version has not yet been announced [1]. Administrators should remove /rest and /downloads from the allowlist in the Secure Login configuration, though this may break machine-to-machine integrations. For the TOTP-related vulnerability, administrators should configure a smaller Time Window Size (e.g., 1) and enable brute-force detection. Both vulnerabilities are rated medium severity with no known active exploitation [1].