CVE-2022-26137

CVSS V2 None CVSS V3 High 8.8
Description
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Overview
  • CVE ID
  • CVE-2022-26137
  • Assigner
  • security@atlassian.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-07-20T18:15:08
  • Last Modified Date
  • 2022-08-04T15:45:16
Weakness Enumerations
CWE URL
CWE-346 http://cwe.mitre.org/data/definitions/346.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 7.2.0 7.2.10
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.0.9
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 8.1.0 8.1.8
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:* 1 OR 8.2.0 8.2.4
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.6.16
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.7.0 7.17.8
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.18.0 7.19.5
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.20.0 7.20.2
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:* 1 OR 7.21.0 7.21.2
cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.4.17
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.5.0 7.13.7
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.14.0 7.14.3
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.15.0 7.15.2
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.16.0 7.16.4
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* 1 OR 7.17.0 7.17.4
cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.4.17
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.5.0 7.13.7
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.14.0 7.14.3
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.15.0 7.15.2
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.16.0 7.16.4
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* 1 OR 7.17.0 7.17.4
cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:* 1 OR 4.3.8
cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:* 1 OR 4.4.0 4.4.2
cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:* 1 OR 4.8.10
cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:* 1 OR 4.8.10
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* 1 OR 8.13.0 8.13.22
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* 1 OR 8.14.0 8.20.10
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* 1 OR 8.21.0 8.22.4
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* 1 OR 8.13.0 8.13.22
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* 1 OR 8.14.0 8.20.10
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* 1 OR 8.21.0 8.22.4
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:* 1 OR 4.13.22
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:* 1 OR 4.13.22
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:* 1 OR 4.14.0 4.20.10
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:* 1 OR 4.14.0 4.20.10
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:* 1 OR 4.21.0 4.22.4
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:* 1 OR 4.21.0 4.22.4
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • REQUIRED
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 8.8
  • Base Severity
  • HIGH
  • Exploitability Score
  • 2.8
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://jira.atlassian.com/browse/CWD-5815
https://jira.atlassian.com/browse/FE-7410
https://jira.atlassian.com/browse/JRASERVER-73897
https://jira.atlassian.com/browse/BAM-21795
https://jira.atlassian.com/browse/JSDSERVER-11863
https://jira.atlassian.com/browse/CONFSERVER-79476
https://jira.atlassian.com/browse/CRUC-8541
https://jira.atlassian.com/browse/BSERV-13370
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-26137
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26137
History
Created Old Value New Value Data Type Notes
2022-07-20 19:00:42 Added to TrackCVE