Users of several popular Atlassian products, including Jira, Confluence, and Bamboo could be vulnerable to two high-severity vulnerabilities that allow remote code execution and escalation of privilege.
As reported by The Register, Atlassian recently issued a warning, which details “Servlet Filter dispatcher vulnerabilities”.
The first vulnerability is tracked as CVE-2022-26136, an arbitrary Servlet Filter bypass, allowing threat actors to bypass custom Servlet Filters that third-party apps use for authentication. All they’d need to do is send a custom, malicious HTTP request.
How deep the rabbit hole goes
While Atlassian says it has now fixed the issue, this is only the case for some of its products, with the full extent of the vulnerability is still unknown.
“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” the security advisory reads (opens in new tab).
Furthermore, the company explained how the same flaw could be used in a cross-site scripting attack. By using a custom HTTP request, a threat actor can bypass the Servlet Filter that validates authentic Atlassian Gadgets. “An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user’s browser,” the company said.
The second vulnerability is tracked as CVE-2022-26137, and is described as a cross-origin resource sharing (CORS) bypass.
“Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass,” Atlassian said. “An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.”
While these two flaws were found in a handful of Atlassian products, there was one more, found only in Confluence. The CVE-2022-26138 flaw is, in fact, a hard-coded password, set up to help cloud migrations.
“The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group,” the company concluded.
The cloud versions of Atlassian products have been patched, it was said, while those hosted on corporate endpoints need to be updated manually.
Via: The Register (opens in new tab)
