Security News > 2022 > July > Atlassian reveals critical flaws in almost everything it makes and touches
Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.
The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets.
The flaws are present in years-old versions of Atlassian products.
Cloudy versions of the products hosted by Atlassian have already been fixed.
News of the vulnerabilities comes just six weeks after Atlassian's admission of another critical flaw in Confluence that was under active attack.
CVE-2022-26136 probably represents a substantial opportunity to probe long-forgotten integrations for their potential to offer a path into Atlassian products, and from there to do all sorts of damage with a nasty piece of JavaScript.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-20 | CVE-2022-26136 | Improper Authentication vulnerability in Atlassian products A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. | 9.8 |