Atlassian has warned users of their products Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira that a few critical bugs threaten their security.
The company’s security advice from July describes “Servlet Filter dispatcher vulnerabilities.”
One of the bugs – CVE-2022-26136 – is described as an arbitrary Servlet filter bypass which means that an attacker could send a specially crafted HTTP request to bypass custom Servlet filters used by third-party apps to enforce authentication.
The scary part is that the bug allows an external, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian does not have a definitive list of apps that can be affected.
“Atlassian has released updates that fix the cause of this vulnerability, but has not exhaustively listed all potential consequences of this vulnerability,” it added.
The second error – CVE-2022-26137 – is a cross-source resource sharing bypass (CORS).
Atlassian explains: “Sending a specially crafted HTTP request can invoke the Servlet filter used to respond to CORS requests, resulting in a CORS bypass. An attacker who could trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. “
Confluence users have another bug to worry about: CVE-2022-26138 reveals that one of the Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:
If the password falls into the wrong hands, a Confluence implementation is an open book.
The bugs are present in year old versions of Atlassian products. Corrections have been issued and require upgrades. Cloudy versions of Atlassian’s products have already been fixed.
The news of the vulnerabilities comes just six weeks after Atlassian’s admission of another critical error in Confluence that was under active attack.
With or without such attacks, Atlassian has had a tough year. Three critical flaws that have been present in products for years – and an embarrassing cloudburst – are not the kind of things corporate customers appreciate. ®