This week, Atlassian released patches for two serious Servlet Filter flaws that affect a number of their products. Java programs known as Servlet Filters are made to intercept and handle HTTP requests that are sent between a client and a backend.
Security features like auditing, authentication, logging, or authorization may be provided via servlet filters. The first vulnerability, identified as CVE-2022-26136 and referred to as a Servlet Filter bypass, might enable a remote, unauthenticated attacker to submit specially crafted HTTP requests and authenticate to third-party apps or to conduct an XSS attack to run JavaScript code in a user’s browser.
The second vulnerability, CVE-2022-26137, could allow a cross-origin resource sharing (CORS) bypass by invoking extra Servlet Filters during the processing of requests and answers.
Read More : Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products
