Atlassian warns users of vulnerabilities in nearly every product, including Bamboo, Bitbucket, Confluence, Fisheye, Crucible and Jira.
The vulnerabilities affect multiple products. One is CVE-2022-26136, an ‘arbitrary Servlet Filter bypass’ that allows hackers to send HTTP requests that bypass Servlet Filters. Many third-party apps use Servlet Filters for authentication, but Atlassian is unaware of the exact amount. This makes the vulnerability very critical.
CVE-2022-26137 also affects multiple products. This concerns a cross-origin resource sharing (CORS) bypass. The vulnerability allows hackers to use Servlet Filters to bypass CORS.
CVE-2022-26138 is limited to Atlassian Confluence. One of Confluence’s apps — Atlassian Questions For Confluence Server and Data Center — creates Confluence accounts with default usernames and hard-coded password. Hackers can obtain the password to log into Confluence and access all content and user details.
The vulnerabilities exist in all versions of the affected products. The attack surface is considerable. Atlassian released patches and urges customers to upgrade on-premises versions as soon as possible. Cloud versions are already up-to-date.