Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Atlassian reveals critical flaws in almost everything it makes and touches
#1
https://www.theregister.com/2022/07/21/a...dvisories/        Atlassian reveals critical flaws in almost everything it makes and touches
Fixes issued, warns it 'has not exhaustively enumerated all potential consequences'
Simon Sharwood, APAC Editor Thu 21 Jul 2022 // 01:54 UTC
Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.

The company's July security advisories detail "Servlet Filter dispatcher vulnerabilities."

One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.

The scary part is that the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian doesn't have a definitive list of apps that could be impacted.

"Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability," it added.

The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. "An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user's browser," Atlassian explains.

The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.

Atlassian explains it as follows: "Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim's permissions."

Confluence users have another flaw to worry about: CVE-2022-26138 reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.

If that password falls into the wrong hands, a Confluence implementation is an open book.

Atlassian comes clean on what data-deleting script behind outage actually did
Atlassian adds Analytics, Atlas, Compass to line up
Atlassian flags Bitbucket and Confluence Data Center flaws
The flaws are present in years-old versions of Atlassian products. Fixes have been issued and require upgrades. Cloudy versions of the products hosted by Atlassian have already been fixed.

News of the vulnerabilities comes just six weeks after Atlassian's admission of another critical flaw in Confluence that was under active attack.

The Register fancies these new ones will also attract the attention of malicious actors. CVE-2022-26136 probably represents a substantial opportunity to probe long-forgotten integrations for their potential to offer a path into Atlassian products, and from there to do all sorts of damage with a nasty piece of JavaScript.

With or without such attacks, Atlassian has had a tough year. Three critical flaws that have been present in products for years – and an embarrassing cloud outage – are not the sort of thing that enterprise customers appreciate.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Hezbollah hackers attack unpatched Atlassian servers at telcos, ISPs Bjyda 0 806 01-28-2021 , 10:24 PM
Last Post: Bjyda
  QNAP fixes even more serious security flaws on its NAS devices Bjyda 0 820 12-25-2020 , 12:45 AM
Last Post: Bjyda
  Cisco fixes critical pre-auth flaws allowing router takeover tarekma7 0 1,343 07-17-2020 , 10:19 PM
Last Post: tarekma7
  Most Popular Home Routers Have ‘Critical’ Flaws tarekma7 0 1,446 07-12-2020 , 10:55 PM
Last Post: tarekma7
  Most Popular Home Routers Have ‘Critical’ Flaws tarekma7 0 1,366 07-12-2020 , 10:53 PM
Last Post: tarekma7

Forum Jump:


Users browsing this thread: 1 Guest(s)