Summary | Multiple Products Security Advisory – Servlet Filter Dispatcher Vulnerabilities |
---|---|
Advisory Release Date | Jul 20, 2022 10:00 AM PDT (Pacific Time, -7 hours) |
Affected Products |
|
Affected Versions | Affected Versions List |
Fixed Versions | Fixed Versions List |
CVE ID(s) | CVE-2022-26136, CVE-2022-26137 |
Summary of Servlet Filter Dispatcher Vulnerability
Servlet Filter Overview
A Servlet Filter is Java code that intercepts and processes HTTP requests before a client request is sent to a back end resource. They’re also used to intercept and process HTTP responses from a back end resource before they’re sent to a client. Some Servlet Filters provide security mechanisms such as logging, auditing, authentication, or authorization.
Arbitrary Servlet Filter Bypass (CVE-2022-26136)
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Only the following attacks have been confirmed:
Authentication bypass. Sending a specially crafted HTTP request can bypass custom Servlet Filters used by third party apps to enforce authentication. A remote, unauthenticated attacker can exploit this to bypass authentication used by third party apps. Please note Atlassian has confirmed this attack is possible, but has not determined a list of all affected apps.
Cross-site scripting (XSS). Sending a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets, which can result in cross-site scripting (XSS). An attacker that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser.
Additional Servlet Filter Invocation (CVE-2022-26137)
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability:
Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.
Affected Versions
Product | Affected Versions |
---|---|
Bamboo Server and Data Center |
|
Bitbucket Server and Data Center |
|
Confluence Server and Data Center |
|
Crowd Server and Data Center |
|
Crucible |
|
Fisheye |
|
Jira Server and Data Center |
|
Jira Service Management Server and Data Center |
|
Fixed Versions
Product | Fixed Versions |
---|---|
Bamboo Server and Data Center |
|
Bitbucket Server and Data Center | |
Confluence Server and Data Center | |
Crowd Server and Data Center |
|
Crucible |
|
Fisheye |
|
Jira Server and Data Center |
|
Jira Service Management Server and Data Cente |
|
Release Notes
Atlassian recommends that you upgrade to the latest version. For a full description of the latest versions, see the release notes for your product:
- Bamboo Server and Data Center release notes
- Bitbucket Server and Data Center release notes
- Confluence Server and Data Center release notes
- Crowd Server and Data Center release notes
- Crucible release notes
- Fisheye release notes
- Jira Service Management Server and Data Center release notes
- Jira Software Server and Data Center release notes
Downloads
- Download Bamboo Server and Data Center
- Download Bitbucket Server and Data Center
- Download Confluence Server and Data Center
- Download Crowd
- Download Crucible
- Download Fisheye
- Download Jira Service Management Server and Data Center
- Download Jira Software Server and Data Center
Workarounds
Need Help With This?
Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.