Impact
The Secure Login (2FA) plugin for Atlassian Jira, Confluence and Bitbucket in versions 3.4.0.x contains a broken access control flaw that allows an attacker who already has valid user credentials to bypass the two‑factor authentication step. By sending HTTP requests with a specially crafted User‑Agent header containing strings like AtlassianMobileApp or JIRA, the plugin skips the configured 2FA checks for protected resources. Successful exploitation gives the attacker full access to the application under the compromised account, and if that account has administrative rights the attacker can perform privileged actions or even disable the 2FA protection itself.
Affected Systems
Affected systems are syracom AG’s Secure Login (2FA) plugin deployments for Atlassian Jira, Confluence and Bitbucket. The vulnerability exists in all 3.4.0.x releases of the plugin. Versions 3.5.0.0 and later contain the fix.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1% shows that exploitation is currently not common. The vulnerability is not listed in the CISA KEV catalog. Attackers can reasonably send crafted HTTP requests over the network, so the attack vector is remote. If exploited, the impact could be complete compromise of privileged accounts and the ability to disable security controls. Immediate remediation is recommended.
OpenCVE Enrichment