A vulnerability in multiple Atlassian products allows a remote, unauthenticated malicious user to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected prior to 8.0.9, from 8.1.0 prior to 8.1.8, and from 8.2.0 prior to 8.2.4. Atlassian Bitbucket versions are affected prior to 7.6.16, from 7.7.0 prior to 7.17.8, from 7.18.0 prior to 7.19.5, from 7.20.0 prior to 7.20.2, from 7.21.0 prior to 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected prior to 7.4.17, from 7.5.0 prior to 7.13.7, from 7.14.0 prior to 7.14.3, from 7.15.0 prior to 7.15.2, from 7.16.0 prior to 7.16.4, from 7.17.0 prior to 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected prior to 4.3.8, from 4.4.0 prior to 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions prior to 4.8.10 are affected. Atlassian Jira versions are affected prior to 8.13.22, from 8.14.0 prior to 8.20.10, and from 8.21.0 prior to 8.22.4. Atlassian Jira Service Management versions are affected prior to 4.13.22, from 4.14.0 prior to 4.20.10, and from 4.21.0 prior to 4.22.4.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
atlassian confluence data center 7.18.0 |
||
atlassian confluence data center |
||
atlassian confluence server 7.18.0 |
||
atlassian confluence server |
||
atlassian jira service management |
||
atlassian jira data center |
||
atlassian jira server |
||
atlassian crucible |
||
atlassian fisheye |
||
atlassian crowd 5.0.0 |
||
atlassian crowd |
||
atlassian bitbucket 8.1.0 |
||
atlassian bitbucket 8.0.0 |
||
atlassian bitbucket |
||
atlassian bamboo |
||
atlassian jira service desk |
Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Fixes issued, warns it 'has not exhaustively enumerated all potential consequences' What do you want The Register to do for you?
Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security. The company's July security advisories detail "Servlet Filter dispatcher vulnerabilities." One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication. The...