Atlassian this week introduced patches for 2 vital Servlet Filter out vulnerabilities that have an effect on a couple of merchandise throughout its portfolio.
Servlet Filters are items of Java code designed to intercept and procedure HTTP requests despatched between a shopper and a backend. Servlet Filters would possibly be offering safety mechanisms reminiscent of auditing, authentication, logging, or authorization.
The second one vulnerability – CVE-2022-26137 – would possibly lead to further Servlet Filters to be invoked all the way through the processing of requests and responses, resulting in a cross-origin useful resource sharing (CORS) bypass. A far off, unauthenticated attacker would possibly exploit the flaw to get right of entry to the prone utility.
The problems, the corporate says, have an effect on Bamboo Server and Knowledge Heart, Bitbucket Server and Knowledge Heart, Confluence Server and Knowledge Heart, Crowd Server and Knowledge Heart, Fisheye and Crucible, Jira Server and Knowledge Heart, and Jira Carrier Control Server and Knowledge Heart.
Atlassian says it has launched patches for the entire impacted merchandise and encourages customers to replace their installations once conceivable.
This week, the corporate additionally introduced tool updates that get to the bottom of a vital vulnerability within the Questions for Confluence utility working on Confluence Server or Knowledge Heart.
Questions for Confluence is a data sharing utility that is helping Confluence customers to find knowledge, proportion their wisdom with others, and connect to professionals to get to the bottom of particular problems sooner.
On Wednesday, Atlassian warned that, when enabled at the Confluence Server and Knowledge Heart, the applying creates a consumer account with hardcoded credentials. Tracked as CVE-2022-26138, the trojan horse is thought of as “vital severity.”
Having the username disabledsystemuser and a hardcoded password, the Confluence consumer account may be added to the confluence-users workforce, that means that it has get right of entry to to non-restricted pages inside Confluence.
“A far off, unauthenticated attacker with wisdom of the hardcoded password may exploit this to log into Confluence and get right of entry to any pages the confluence-users workforce has get right of entry to to,” Atlassian warns.
The flaw affects Questions for Confluence variations 2.7.34, 2.7.35, and three.0.2. Customers can examine if their Confluence deployments are impacted via in search of the disabledsystemuser consumer or the related electronic mail cope with [email protected]
Atlassian additionally issues out that the consumer account isn’t got rid of when uninstalling the Questions for Confluence packages and that it will have to be disabled or deleted manually.
The problem has been resolved with the discharge of Questions for Confluence variations 2.7.38 (appropriate with Confluence 6.13.18 thru 7.16.2) and three.0.5 (appropriate with Confluence 7.16.3 and later). Upgrading to those utility iterations eliminates the disabledsystemuser consumer account if it’s been created in the past.
Atlassian says it has now not gained studies of this vulnerability being exploited in assaults.