Atlassian has warned customers of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira merchandise that critical-rated flaws pose a safety danger.
The “Servlet Filter Dispatcher Vulnerability” is detailed within the firm’s July safety advisory.
One of many flaws – CVE-2022-26136 – is described as an arbitrary servlet filter bypass meaning an attacker may ship a specifically crafted HTTP request to bypass customized servlet filters utilized by third-party apps to implement authentication.
The scary half is that the flaw permits a distant, unauthorized attacker to bypass authentication utilized by third-party apps. The actually scary half is that Atlassian does not have a definitive record of apps that is perhaps affected.
“Atlassian has launched updates that tackle the foundation reason behind this vulnerability, however haven’t absolutely accounted for all of the potential penalties of this vulnerability,” it added.
The second flaw – CVE-2022-26137 – is a cross-origin useful resource sharing (CORS) bypass.
Atlassian explains it as follows: “Sending a specifically crafted HTTP request can exploit servlet filters used to answer CORS requests, leading to CORS bypass. An attacker who methods a consumer into requesting a malicious URL can acquire entry to a weak software. The sufferer’s permissions.”
Confluence customers have one other flaw to fret about: CVE-2022-26138 reveals that certainly one of its Confluence apps accommodates a hard-coded password to assist migrate to the cloud. This defined:
If that password falls into the unsuitable fingers, the Confluence implementation is an open e book.
Defects exist in older variations of Atlassian merchandise. Fixes have been launched and upgrades are required. Cloud variations of merchandise hosted by Atlassian have already been fastened.
Information of the vulnerability comes simply six weeks after Atlassian acknowledged one other essential flaw in Confluence, which was beneath energetic assault.
With or with out such assaults, Atlassian had a tough yr. Three critical flaws which were current within the merchandise for years – and one embarrassing cloud outage – usually are not issues that enterprise prospects admire. ®