Three new critical flaws have been discovered in Atlassian products which could pose a risk to customers.  Less than two months ago Atlassian had reported critical vulnerabilities that were affecting its Confluence product which we reported at the time <here>.

Products affected this time by the newly discovered vulnerabilities include Jira, Confluence, Fisheye, Crucible amongst others.  Atlassian says more of its products could also be impacted as it has yet to map the full consequences of the problems.  “Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it said in a statement.

The first vulnerability, CVE-2022-26136, allows an attacker to bypass custom Servlet Filters and also instigate cross-site scripting attacks.  The second vulnerability, known as CVE-2022-26137, is also found in multiple Atlassian products and allows remote, unauthenticated attacks.

The third flaw affects the Confluence product only, and tracked as CVE-2022-26138.  It is essentially due to poor coding practices where Atlassian hard-coded a password into a component app in Confluence called “Questions for Confluence app”;  The hard-coded password had been found and shared online.  “An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately.” the company warned.  “This issue is likely to be exploited in the wild now that the hardcoded password is publicly known.”

Atlassian has since issued advisories in its July-22 post about the vulnerabilities <here [1] and [2]>.  We recommend that all our clients and audience that use Atlassian products to review the vulnerability advisories and take remedial action if necessary in order to minimise any risks to their operation.

Read more by clicking the button below.