Technology

Atlassian Reveals Severe Flaws in Its Product Line • The Register

Atlassian Reveals Severe Flaws in Its Product Line • The Register
Written by admin
Atlassian Reveals Severe Flaws in Its Product Line • The Register

Atlassian has warned customers of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira merchandise that critical-rated flaws pose a safety danger.

The “Servlet Filter Dispatcher Vulnerability” is detailed within the firm’s July safety advisory.

One of many flaws – CVE-2022-26136 – is described as an arbitrary servlet filter bypass meaning an attacker may ship a specifically crafted HTTP request to bypass customized servlet filters utilized by third-party apps to implement authentication.

The scary half is that the flaw permits a distant, unauthorized attacker to bypass authentication utilized by third-party apps. The actually scary half is that Atlassian does not have a definitive record of apps that is perhaps affected.

“Atlassian has launched updates that tackle the foundation reason behind this vulnerability, however haven’t absolutely accounted for all of the potential penalties of this vulnerability,” it added.

The identical CVE may also be utilized in a cross-site scripting assault: a specifically crafted HTTP request can bypass the servlet filter used to authenticate legit Atlassian devices. “An attacker who methods a consumer into requesting a malicious URL can execute arbitrary JavaScript within the consumer’s browser,” Atlassian explains.

The second flaw – CVE-2022-26137 – is a cross-origin useful resource sharing (CORS) bypass.

Atlassian explains it as follows: “Sending a specifically crafted HTTP request can exploit servlet filters used to answer CORS requests, leading to CORS bypass. An attacker who methods a consumer into requesting a malicious URL can acquire entry to a weak software. The sufferer’s permissions.”

Confluence customers have one other flaw to fret about: CVE-2022-26138 reveals that certainly one of its Confluence apps accommodates a hard-coded password to assist migrate to the cloud. This defined:

If that password falls into the unsuitable fingers, the Confluence implementation is an open e book.

Defects exist in older variations of Atlassian merchandise. Fixes have been launched and upgrades are required. Cloud variations of merchandise hosted by Atlassian have already been fastened.

Information of the vulnerability comes simply six weeks after Atlassian acknowledged one other essential flaw in Confluence, which was beneath energetic assault.

Register This will even entice the eye of latest malicious actors. CVE-2022-26136 most likely represents a big alternative to analyze long-forgotten integrations for his or her potential to supply a manner into Atlassian merchandise and from there to wreak all types of harm with a nasty piece of JavaScript.

With or with out such assaults, Atlassian had a tough yr. Three critical flaws which were current within the merchandise for years – and one embarrassing cloud outage – usually are not issues that enterprise prospects admire. ®

About the author

admin

Leave a Comment