[XPORTERCLOUD-1707] Bypass Connect app qsh verification via context JWTs - Xblend Issue Tracker

Xporter

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Done
Affects Version/s: 1.21.5
Fix Version/s: 1.21.6, Continuous Delivery
Component/s: Security
Labels:
- deploy_app
- security_vulnerability_high

Sprint:
XPORTERCLOUD 2021 Sprint 4, XPORTERCLOUD 2021 Sprint 5
Requirement Status:
OK
- 1

Description

The addon.authenticate() middleware is skipping the qsh claim validation when the claim isn't sent. This means that the jwt without qsh claim (jwt generated using AP context) is valid to perform requests to services that are using the addon.authenticate() middleware.

Please, check the attachment for more information about the fix.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

bypass qsh.docx
16 kB
31/Mar/21 3:28 PM

Issue Links

is cloned by

XPORTERCLOUD-1755 Connector for Confluence - Bypass Connect app qsh verification via context JWTs

Resolved

Activity

People

Assignee:: Andreia Costa

Reporter:: Paulo Alves

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 31/Mar/21 3:27 PM

Updated:: 17/May/21 11:27 AM

Resolved:: 16/Apr/21 12:07 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

7h 30m