SEC Consult SA-20260616-0 :: Broken Access Control in syracom AG Secure Login (2FA) for Atlassian Jira / Confluence / Bitbucket #CVE-2026-12225

2026-6-21 03:51:25 Author: seclists.org(查看原文) 阅读量:7 收藏

SEC Consult Vulnerability Lab Security Advisory < 20260616-0 >
=======================================================================
              title: Broken Access Control
            product: syracom AG Secure Login (2FA) for Atlassian Jira /
                     Confluence / Bitbucket
 vulnerable version: 3.4.0.x
      fixed version: 3.5.0.0
         CVE number: CVE-2026-12225
             impact: High

homepage:https://marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence?hosting=datacenter&tab=overview
              found: 2026-02-27
                 by: Laurentius von Oppenkowski (Office Munich)
                     Timo Müller (Office Munich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Atos business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"The ORIGINAL: Strong Security via 2FA auth. for Confluence, efficient but
user friendly without any external 2-factor systems"

Source:https://marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence?hosting=datacenter&tab=overview

Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
More details can be found at the end of this advisory.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.

Vulnerability overview/description:
-----------------------------------
1) Broken Access Control allows 2FA bypass (CVE-2026-12225)
"Secure Login (2FA) for Confluence" by Syracom AG is a plugin which allows
administrators to integrate a 2FA workflow into their Confluence instance.
The plugin contains a broken access control vulnerability that allows an
attacker to bypass the Two-Factor Authentication process with any account by
using a specific user agent in their HTTP requests.

When bypassing the 2FA flow, an attacker can access the entire page and all
settings even though the 2FA plugin should block every request for web
directories that are not included in its allowlist.

In the worst case this can be abused to make administrative changes to the
Confluence instance, like deactivating the 2FA plugin entirely,
and making arbitrary administrative changes.

This vulnerability is present as the plugin contains a vulnerable code branch
if it encounters specific user agents, such as the Confluence mobile app user
agent. For each request in which such a specific user agent is present,
the 2FA plugin does not enforce any 2FA at all.

As a precondition for the successful exploitation of this vulnerability an
attacker requires valid credentials of a victim user account.
For example, through a password leak or phishing.

Proof of concept:
-----------------
1) Broken Access Control allows 2FA bypass (CVE-2026-12225)
In order to exploit this issue a maliciously crafted user agent, which
contains the string "AtlassianMobileApp" or "JIRA" needs to be set.
Please note that all following PoC requests must contain this string within
the user agent of the HTTP request.
Furthermore, in the PoC it is assumed that the attacker has access to the
credentials of an administrative account. However, please note that bypassing
the 2FA requirement is possible for accounts of any role.

a) The attacker logs into the application with the username and password
of a victim. Due to the specific user agent, the 2FA page is not displayed
to the user:
<initial_login.png>

b) The attacker can view the 2FA secret of their current user by accessing the following URL:
http:// localhost:8090/plugins/servlet/twofactor/userprofile

<secure_login_profile.png>

The plaintext secret on the user page alone would allow bypassing
any further 2FA requirements.

c) The maliciously crafted user agent also allows the attacker to access
administrative pages and the Confluence WebSudo page (WebSudo starts a secure
administration session and is required for many administrative actions).
   <access_configuration_from_dashboard.png>
   <websudo.png>

d) At this point, the attacker can disable the 2FA plugin through the
management API. This can be done through the UI, as seen in the screenshots
down below, or by calling the following REST endpoint directly:

   /rest/plugins/1.0/de.syracom.confluence.plugins.securelogin-key

<confluence_app_management.png>

The successful exploit can be confirmed through the now disabled 2FA plugin.
<app_disabled.png>

The corresponding HTTP request to disable the plugin with the maliciously
crafted user agent looks as follows:

<disable_request.png>

Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
* 3.4.0.1

According to the vendor, the following versions are affected:

* Secure Login (2FA) - Jira = 3.4.0.x
* Secure Login (2FA) - Confluence = 3.4.0.x
* Secure Login (2FA) - Bitbucket = 3.4.0.0

Vendor contact timeline:
------------------------
2026-03-10: Vendor contacted throughatlassian-support () syracom de
2026-03-10: Vendor confirms receipt of the advisory
            and will investigate the vulnerability.
2026-04-01: Inquiry about the status of the advisory review.
2026-04-01: Vendor states that a fix is in development
            and will be released as soon as it is ready.
2026-04-21: Vendor informs us that the fix is still in development.
2026-05-06: Vendor announces the advisory release on 2026-05-11.
2026-05-08: Vendor confirms release date.
2026-05-08: Informing vendor that our advisory will be released at
            a later date.
2026-05-11: Vendor releases security patch and advisory.
2026-06-16: Release of security advisory.

Solution:
---------
The vendor provides a patched version 3.5.0.0 which can be downloaded at:
https://marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence

Vendor security advisory:
https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Control

Vendor troubleshoot article:
https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4230217729/Mobile+app+login+does+not+work+with+Secure+Login

Workaround:
-----------
Not required.

Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:http://blog.sec-consult.com
X:https://x.com/sec_consult

EOF Laurentius von Oppenkowski, Timo Müller / 2026

Full Disclosure mailing list archives

Current thread: