Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.
The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.”
One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.
The scary part is that the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian doesn’t have a definitive list of apps that could be impacted.
“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it added.
The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. “An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user’s browser,” Atlassian explains.
The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.
Atlassian explains it as follows: “Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.”
Confluence users have another flaw to worry about: CVE-2022-26138 reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:
Source: Atlassian reveals critical flaws across its product line • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft