On Wednesday, 20 July 2022, Atlassian released patches to remediate two critical vulnerabilities (CVE-2022-26136 and CVE-2022-26137) that impact how Atlassian products implement Servlet Filters and could lead to unauthenticated authentication bypass, cross-site scripting (XSS), or cross-origin resource sharing (CORS) bypass depending on the filters used by each impacted product. A Servlet Filter is used to intercept HTTP requests and do some pre- and post-processing before the requests are sent to a back-end resource or web application. Notably, some Servlet Filters provide security features such as authentication, authorisation, auditing, and logging for Atlassian products.
Atlassian Cloud sites are not impacted as patches have already been deployed.
CVE-2022-26136: Arbitrary Servlet Filter Bypass
This vulnerability allows an unauthenticated threat actor to bypass Servlet Filters used by first- and third-party applications.
Impact
-
Authentication Bypass: An unauthenticated threat actor can successfully bypass Servlet Filters used by third-party applications to enforce authentication by sending a specially crafted HTTP request.
-
Cross-site Scripting: A threat actor can successfully bypass the Servlet Filter used to validate legitimate Atlassian Gadgets by sending a specially crafted HTTP request. A threat actor can execute arbitrary Javascript in the victim’s browser if the victim is tricked into requesting a malicious URL
CVE-2022-26137: Additional Servlet Filter Invocation
This vulnerability allows a remote, unauthenticated threat actor to invoke additional Servlet Filters when the application processes a request or response.
Impact
-
Cross-origin Resource Sharing Bypass: A threat actor can successfully invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass, by sending a specially crafted HTTP request.
NOTE: Atlassian has not exhaustively investigated the potential impacts of this vulnerability. Threat actors may be able to leverage the vulnerabilities to complete other objectives beyond authentication bypass, XSS, and CORS.
Impacted Products
NOTE: Atlassian Cloud sites are not impacted by CVE-2022-26136 or CVE-2022-26137
| Product | Release Notes |
|---|---|
| Bamboo Server and Data Center | https://jira.atlassian.com/browse/BAM-21795 |
| Bitbucket Server and Data Center | https://jira.atlassian.com/browse/BSERV-13370 |
| Confluence Server and Data Center | https://jira.atlassian.com/browse/CONFSERVER-79476 |
| Crowd Server and Data Center | https://jira.atlassian.com/browse/CWD-5815 |
| Crucible | https://jira.atlassian.com/browse/CRUC-8541 |
| Fisheye | https://jira.atlassian.com/browse/FE-7410 |
| Jira Server and Data Center | https://jira.atlassian.com/browse/JRASERVER-73897 |
| Jira Service Management Server and Data Center | https://jira.atlassian.com/browse/JSDSERVER-11863 |
Recommendation
Apply the Available Security Patches to Applicable Products
Atlassian released security patches for all impacted products. We recommend applying the latest relevant security patches to impacted products to mitigate CVE-2022-26136 and CVE-2022-26137.
| Product | Release Notes |
|---|---|
| Bamboo Server and Data Center | https://jira.atlassian.com/browse/BAM-21795 |
| Bitbucket Server and Data Center | https://jira.atlassian.com/browse/BSERV-13370 |
| Confluence Server and Data Center | https://jira.atlassian.com/browse/CONFSERVER-79476 |
| Crowd Server and Data Center | https://jira.atlassian.com/browse/CWD-5815 |
| Crucible | https://jira.atlassian.com/browse/CRUC-8541 |
| Fisheye | https://jira.atlassian.com/browse/FE-7410 |
| Jira Server and Data Center | https://jira.atlassian.com/browse/JRASERVER-73897 |
| Jira Service Management Server and Data Center | https://jira.atlassian.com/browse/JSDSERVER-11863 |
