"Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products"

Atlassian recently announced patches for two critical Servlet Filter vulnerabilities that impact multiple products across its portfolio.  Servlet Filters are pieces of Java code designed to intercept and process HTTP requests sent between a client and a backend.  Servlet Filters may offer security mechanisms such as auditing, authentication, logging, or authorization.  One vulnerability is tracked as CVE-2022-26136 and described as a Servlet Filter bypass that could allow a remote, unauthenticated attacker to send specially crafted HTTP requests and authenticate to third-party apps, or to launch a cross-site scripting (XSS) attack, to execute JavaScript code in a user’s browser.  The second vulnerability is CVE-2022-26137, and it may result in additional Servlet Filters to be invoked during the processing of requests and responses, leading to a cross-origin resource sharing (CORS) bypass.  A remote, unauthenticated attacker may exploit the flaw to access the vulnerable application.  Atlassian noted that the vulnerabilities impact Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Fisheye and Crucible, Jira Server and Data Center, and Jira Service Management Server and Data Center.  Atlassian says it has released patches for all of the impacted products and encourages users to update their installations as soon as possible.

SecurityWeek reports: "Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products"