This page collects information about how resolution's apps may be affected by Atlassian's vulnerabilities CVE-2022-26136 and CVE-2022-26137.

VulnerabilityAtlassian Security AdvisoryCVE Records
Multiple Servlet Filter VulnerabilitiesMultiple Products Security Advisory 2022-07-20



We don't have a lot of information about this vulnerability, since Atlassian hasn't disclosed any additional details to Marketplace Partners like us that haven't been shared with the general public.

However, based on our understanding of the description, the consequences listed below may arise if you do not update your instance. We have not been able to verify them yet and generally recommend that you update your instance as fast as possible regardless of this assessment to one of the Fixed Versions listed by Atlassian. 

API Token Authentication

With this app, the authentication does happen in a Servlet Filter. However, no security breach should be caused: if the filter is skipped, API Tokens will just not work. If the filter is called in an unexpected context, it should work as expected so a valid token is still required.

  • Basic auth block circumvention
    If you have disabled Basic Authentication with regular passwords using our app, this block can probably be circumvented. 
  • Rate Limit
    Rate limiting for requests with API tokens enforced by our app may be circumvented.
  • Privilege escalation with API tokens
    It might be possible to circumvent a request with a token that has been assigned the Read-Only scope. The request could allow Read-Write operations instead.


  • Force SSO URLs circumvention
    Redirection to SSO on those pages can probably be circumvented, so the default page restrictions apply. If you use this as a security feature, be aware that these pages might no longer require SSO.

HTTP Header Auth and AWS ALB authentication

In HTTP Header Auth and AWS ALB authentication, the authentication does happen in a servlet filter. However, no security breach should be possible: if the filter is skipped, the authentication by HTTP-Headers will just not work. If the filter is called in an unexpected context, the expected HTTP Headers are still checked as they should.

Other applications

Our other apps' functionality can probably be disabled in those attacker requests, but this would only mean that this functionality no longer exists. This vulnerability seems to be problematic for apps that enforce security features by denying functionality via servlet filters. The only such features we are currently aware of are listed above.

Based on our understanding of Additional Servlet Filter Invocation (CVE-2022-26137), there should be no additional impact on your instance from our apps.