CVE-2022-26136

CVSS V2 None CVSS V3 Critical 9.8
Description
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Overview
  • CVE ID
  • CVE-2022-26136
  • Assigner
  • security@atlassian.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-07-20T18:15:08
  • Last Modified Date
  • 2022-08-04T15:50:26
Weakness Enumerations
CWE URL
CWE-287 http://cwe.mitre.org/data/definitions/287.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 7.2.0 7.2.10
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.0.9
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 8.1.0 8.1.8
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 8.2.0 8.2.4
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.6.16
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.7.0 7.17.8
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.18.0 7.19.5
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.20.0 7.20.2
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.21.0 7.21.2
cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.4.17
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.5.0 7.13.7
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.14.0 7.14.3
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.15.0 7.15.2
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.16.0 7.16.4
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.17.0 7.17.4
cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.4.17
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.5.0 7.13.7
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.14.0 7.14.3
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.15.0 7.15.2
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.16.0 7.16.4
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.17.0 7.17.4
cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:* 1 OR 4.3.8
cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:* 1 OR 4.4.0 4.4.2
cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:* 1 OR 4.8.10
cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:* 1 OR 4.8.10
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* 1 OR 8.13.0 8.13.22
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* 1 OR 8.14.0 8.20.10
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* 1 OR 8.21.0 8.22.4
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* 1 OR 8.13.0 8.13.22
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* 1 OR 8.14.0 8.20.10
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* 1 OR 8.21.0 8.22.4
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:* 1 OR 4.13.22
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:* 1 OR 4.13.22
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:* 1 OR 4.14.0 4.20.10
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:* 1 OR 4.14.0 4.20.10
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:* 1 OR 4.21.0 4.22.4
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:* 1 OR 4.21.0 4.22.4
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.8
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.9
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://jira.atlassian.com/browse/CWD-5815
https://jira.atlassian.com/browse/FE-7410
https://jira.atlassian.com/browse/JRASERVER-73897
https://jira.atlassian.com/browse/BAM-21795
https://jira.atlassian.com/browse/JSDSERVER-11863
https://jira.atlassian.com/browse/CONFSERVER-79476
https://jira.atlassian.com/browse/CRUC-8541
https://jira.atlassian.com/browse/BSERV-13370
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-26136
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26136
History
Created Old Value New Value Data Type Notes
2022-07-20 19:00:42 Added to TrackCVE