Atlassian has released advisories for its Bitbucket, Jira, Confluence, Fisheye, Crucible, and Bamboo products, stating that two critical-risk rated vulnerabilities exist in these commonly used products.
In the company's security advisory for July the "Servlet Filter dispatcher vulnerabilities" are described. CVE-2022-26136, the Common Vulnerabilities and Exposures (CVE) identifier assigned to one of the flaws describes the issue as an arbitrary Servlet Filter bypass, by which an attacker can send specially crafted HTTP requests to bypass custom Servlet Filters used by third-party applications that enforce authentication.
The real danger lies in the fact that the flaw allows an unauthenticated, remote attacker to bypass authentication used by the third-party applications. Even worse, Atlassian admits it does not yet fully understand the breadth and depth of impact across the applications that are potentially affected. In its notice, the company states, "Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability."
Multiple vectors exist for the vulnerability to be exploited as well. Using a cross-site scripting attack, attackers can send a specially crafted HTTP request to the affected Atlassian products and the request can bypass the Servlet Filter by which legitimate Atlassian Gadgets are validated.
Atlassian explained that, "An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user's browser."
All that is applicable for just one of the two vulnerabilities. The second, assigned CVE-2022-26137, is a bypass of cross-origin resource sharing (CORS). "Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim's permissions," Atlassian explained.
On top of that, Confluence users are affected by yet another issue: CVE-2022-26138. Apparently, this issue arose because one of the Confluence apps includes a hard-coded password, intentionally included to help migrations to the cloud. The issue with this particular instance of a generally bad practice—hard-coding passwords—is that the Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. Any remote and unauthenticated attacker who learns this password can therefore exploit this vulnerability to login to Confluence and thereby access all content accessible to users in the confluence-users group.
All of these vulnerabilities exist in many versions of the affected Atlassian products, including some that are several years old. The company has released patches and has already updated versions of the products hosted by Atlassian in their cloud environment.
This latest news comes just six weeks after Atlassian's admission of another critical flaw in Confluence—one that the company acknowledged was under active attack.
For help finding vulnerabilities in your system contact Webcheck Security.