Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products
Dwelling › Vulnerabilities
Atlassian Patches Servlet Filter Vulnerabilities Impacting A number of Merchandise
By Ionut Arghire on July 21, 2022
Tweet
Atlassian this week introduced patches for 2 crucial Servlet Filter vulnerabilities that influence a number of merchandise throughout its portfolio.
Servlet Filters are items of Java code designed to intercept and course of HTTP requests despatched between a shopper and a backend. Servlet Filters could supply safety mechanisms equivalent to auditing, authentication, logging, or authorization.
Tracked as CVE-2022-26136 and described as a Servlet Filter bypass, the primary of the issues may enable a distant, unauthenticated attacker to ship specifically crafted HTTP request and authenticate to third-party apps, or to launch a cross-site scripting (XSS) assault, to execute JavaScript code in a person’s browser.
The second vulnerability – CVE-2022-26137 – could end in extra Servlet Filters to be invoked through the processing of requests and responses, resulting in a cross-origin useful resource sharing (CORS) bypass. A distant, unauthenticated attacker could exploit the flaw to entry the weak software.
The problems, the corporate says, influence Bamboo Server and Information Middle, Bitbucket Server and Information Middle, Confluence Server and Information Middle, Crowd Server and Information Middle, Fisheye and Crucible, Jira Server and Information Middle, and Jira Service Administration Server and Information Middle.
Atlassian says it has launched patches for all the impacted merchandise and encourages customers to replace their installations as quickly as potential.
This week, the corporate additionally introduced software program updates that resolve a crucial vulnerability within the Questions for Confluence software working on Confluence Server or Information Middle.
Questions for Confluence is a data sharing software that helps Confluence customers discover data, share their data with others, and join with specialists to resolve particular points sooner.
On Wednesday, Atlassian warned that, when enabled on the Confluence Server and Information Middle, the applying creates a person account with hardcoded credentials. Tracked as CVE-2022-26138, the bug is taken into account “crucial severity.”
Having the username disabledsystemuser and a hardcoded password, the Confluence person account can be added to the confluence-users group, which means that it has entry to non-restricted pages inside Confluence.
“A distant, unauthenticated attacker with data of the hardcoded password may exploit this to log into Confluence and entry any pages the confluence-users group has entry to,” Atlassian warns.
The flaw impacts Questions for Confluence variations 2.7.34, 2.7.35, and three.0.2. Customers can confirm if their Confluence deployments are impacted by looking for the disabledsystemuser person or the related e mail deal with [email protected]
Atlassian additionally factors out that the person account shouldn’t be eliminated when uninstalling the Questions for Confluence functions and that it needs to be disabled or deleted manually.
The problem has been resolved with the discharge of Questions for Confluence variations 2.7.38 (suitable with Confluence 6.13.18 via 7.16.2) and three.0.5 (suitable with Confluence 7.16.three and later). Upgrading to those software iterations removes the disabledsystemuser person account if it has been created beforehand.
Atlassian says it has not obtained studies of this vulnerability being exploited in assaults.
Associated: Atlassian Patches Confluence Zero-Day as Exploitation Makes an attempt Surge
Associated: Atlassian Confluence Servers Hacked by way of Zero-Day Vulnerability
Associated: Atlassian Patches Vital Authentication Bypass Vulnerability in Jira
Get the Every day Briefing
- Most Latest
- Most Learn
- Understanding the Evolution of Cybercrime to Predict its Future
- Romanian Operator of Bulletproof Internet hosting Service Extradited to the US
- Anvilogic Scores $25 Million Collection B to Deal with SOC Modernization
- USCYBERCOM Releases IoCs for Malware Concentrating on Ukraine
- Atlassian Patches Servlet Filter Vulnerabilities Impacting A number of Merchandise
- Exploitation of Latest Chrome Zero-Day Linked to Israeli Spyware and adware Firm
- A whole lot of ICS Vulnerabilities Disclosed in First Half of 2022
- Cisco Patches Extreme Vulnerabilities in Nexus Dashboard
- Machine Identification Administration Agency AppViewX Raises $20 Million
- Apple Ships Pressing Safety Patches for macOS, iOS
Searching for Malware in All of the Fallacious Locations?
First Step For The Web’s subsequent 25 years: Including Safety to the DNS
Tattle Story: What Your Laptop Says About You
Be in a Place to Act By way of Cyber Situational Consciousness
Report Reveals Closely Regulated Industries Letting Social Networking Apps Run Rampant
2010, A Nice 12 months To Be a Scammer.
Do not Let DNS be Your Single Level of Failure
The right way to Determine Malware in a Blink
Defining and Debating Cyber Warfare
The 5 A’s that Make Cybercrime so Enticing
The right way to Defend Towards DDoS Assaults
Safety Budgets Not in Line with Threats
Anycast – Three Causes Why Your DNS Community Ought to Use It
The Evolution of the Prolonged Enterprise: Safety Methods for Ahead Pondering Organizations
Utilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous Enterprise