Lucene search

K
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_113319
HistoryJul 28, 2022 - 12:00 a.m.

Atlassian Confluence 7.5.x < 7.13.7 Multiple Servlet Filter Vulnerabilities

2022-07-2800:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
196

According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 7.4.17, 7.5.x prior to 7.13.7, 7.14.x prior to 7.14.3, 7.15.x prior to 7.15.2, 7.16.x prior to 7.16.4, 7.17.x prior to 7.17.4 or 7.18.0. It is, therefore, affected by the following vulnerabilities :

  • An arbitrary servlet filter bypass vulnerability which can lead to authentication bypass or Cross-Site Scripting (XSS). A remote, unauthenticated attacker can bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. (CVE-2022-26136)

  • An additional servlet filter invocation vulnerability which can lead to Cross-Origin Resource Sharing (CORS) bypass. A remote, unauthenticated attacker can cause additional Servlet Filters to be invoked when the application processes requests or responses. (CVE-2022-26137)

Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.

No source data
VendorProductVersion
aatlassianconfluence
Related for WEB_APPLICATION_SCANNING_113319