SAML Single Sign-OnSAML Single Sign-On
Try For Free

resolution Apps: Arbitrary Servlet Filter Bypass (CVE-2022-26136)

This page collects information about how resolution's apps may be affected by Atlassian's vulnerabilities CVE-2022-26136 and CVE-2022-26137.


Vulnerability

Atlassian Security Advisory

CVE Records

Multiple Servlet Filter Vulnerabilities

Multiple Products Security Advisory 2022-07-20

CVE-2022-26136

CVE-2022-26137

We don't have a lot of information about this vulnerability, since Atlassian hasn't disclosed any additional details to Marketplace Partners like us that haven't been shared with the general public.

However, based on our understanding of the description, the consequences listed below may arise if you do not update your instance. We have not been able to verify them yet and generally recommend that you update your instance as fast as possible regardless of this assessment to one of the Fixed Versions listed by Atlassian. 

API Token Authentication

With this app, the authentication does happen in a Servlet Filter. However, no security breach should be caused: if the filter is skipped, API Tokens will just not work. If the filter is called in an unexpected context, it should work as expected so a valid token is still required.

  • Basic auth block circumvention
    If you have disabled Basic Authentication with regular passwords using our app, this block can probably be circumvented. 

  • Rate Limit
    Rate limiting for requests with API tokens enforced by our app may be circumvented.

  • Privilege escalation with API tokens
    It might be possible to circumvent a request with a token that has been assigned the Read-Only scope. The request could allow Read-Write operations instead.

SAML SSO

  • Force SSO URLs circumvention
    Redirection to SSO on those pages can probably be circumvented, so the default page restrictions apply. If you use this as a security feature, be aware that these pages might no longer require SSO.

HTTP Header Auth and AWS ALB authentication

In HTTP Header Auth and AWS ALB authentication, the authentication does happen in a servlet filter. However, no security breach should be possible: if the filter is skipped, the authentication by HTTP-Headers will just not work. If the filter is called in an unexpected context, the expected HTTP Headers are still checked as they should.

Other applications

Our other apps' functionality can probably be disabled in those attacker requests, but this would only mean that this functionality no longer exists. This vulnerability seems to be problematic for apps that enforce security features by denying functionality via servlet filters. The only such features we are currently aware of are listed above.

Based on our understanding of Additional Servlet Filter Invocation (CVE-2022-26137), there should be no additional impact on your instance from our apps.

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other