Atlassian reveals critical flaws across its product line • The Register

Atlassian reveals critical flaws across its product line • The Register

Atlassian has warned users of their products Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira that a few critical bugs threaten their security.

The company’s security advice from July describes “Servlet Filter dispatcher vulnerabilities.”

One of the bugs – CVE-2022-26136 – is described as an arbitrary Servlet filter bypass which means that an attacker could send a specially crafted HTTP request to bypass custom Servlet filters used by third-party apps to enforce authentication.

The scary part is that the bug allows an external, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian does not have a definitive list of apps that can be affected.

“Atlassian has released updates that fix the cause of this vulnerability, but has not exhaustively listed all potential consequences of this vulnerability,” it added.

The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet filter used to validate legitimate Atlassian Gadgets. “An attacker who could trick a user into requesting a malicious URL could run arbitrary JavaScript in the user’s browser,” Atlassian explains.

The second error – CVE-2022-26137 – is a cross-source resource sharing bypass (CORS).

Atlassian explains: “Sending a specially crafted HTTP request can invoke the Servlet filter used to respond to CORS requests, resulting in a CORS bypass. An attacker who could trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. “

Confluence users have another bug to worry about: CVE-2022-26138 reveals that one of the Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:

If the password falls into the wrong hands, a Confluence implementation is an open book.

The bugs are present in year old versions of Atlassian products. Corrections have been issued and require upgrades. Cloudy versions of Atlassian’s products have already been fixed.

The news of the vulnerabilities comes just six weeks after Atlassian’s admission of another critical error in Confluence that was under active attack.

The register believe that these new ones will also attract the attention of malicious actors. CVE-2022-26136 probably represents a significant opportunity to examine long-forgotten integrations for their potential to provide a way into Atlassian products, and from there to do all sorts of damage with a nasty piece of JavaScript.

With or without such attacks, Atlassian has had a tough year. Three critical flaws that have been present in products for years – and an embarrassing cloudburst – are not the kind of things corporate customers appreciate. ®

Leave a Reply

Your email address will not be published.