This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_113322Atlassian Confluence 7.16.x < 7.16.4 Multiple Servlet Filter Vulnerabilities
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.4%
According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 7.4.17, 7.5.x prior to 7.13.7, 7.14.x prior to 7.14.3, 7.15.x prior to 7.15.2, 7.16.x prior to 7.16.4, 7.17.x prior to 7.17.4 or 7.18.0. It is, therefore, affected by the following vulnerabilities :
-
An arbitrary servlet filter bypass vulnerability which can lead to authentication bypass or Cross-Site Scripting (XSS). A remote, unauthenticated attacker can bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. (CVE-2022-26136)
-
An additional servlet filter invocation vulnerability which can lead to Cross-Origin Resource Sharing (CORS) bypass. A remote, unauthenticated attacker can cause additional Servlet Filters to be invoked when the application processes requests or responses. (CVE-2022-26137)
Note that the scanner has not tested for these issues but has instead relied only on the applicationβs self-reported version number.
No source dataRelated
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.4%