Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-26137

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Published

2022-07-20T18:15:08.557

Last Modified

2024-11-21T06:53:30.583

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses
  • Type: Secondary
    CWE-180
  • Type: Primary
    CWE-346
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application atlassian bamboo < 7.2.10 Yes
Application atlassian bamboo < 8.0.9 Yes
Application atlassian bamboo < 8.1.8 Yes
Application atlassian bamboo < 8.2.4 Yes
Application atlassian bitbucket < 7.6.16 Yes
Application atlassian bitbucket < 7.17.8 Yes
Application atlassian bitbucket < 7.19.5 Yes
Application atlassian bitbucket < 7.20.2 Yes
Application atlassian bitbucket < 7.21.2 Yes
Application atlassian bitbucket 8.0.0 Yes
Application atlassian bitbucket 8.1.0 Yes
Application atlassian confluence_data_center < 7.4.17 Yes
Application atlassian confluence_data_center < 7.13.7 Yes
Application atlassian confluence_data_center < 7.14.3 Yes
Application atlassian confluence_data_center < 7.15.2 Yes
Application atlassian confluence_data_center < 7.16.4 Yes
Application atlassian confluence_data_center < 7.17.4 Yes
Application atlassian confluence_data_center 7.18.0 Yes
Application atlassian confluence_server < 7.4.17 Yes
Application atlassian confluence_server < 7.13.7 Yes
Application atlassian confluence_server < 7.14.3 Yes
Application atlassian confluence_server < 7.15.2 Yes
Application atlassian confluence_server < 7.16.4 Yes
Application atlassian confluence_server < 7.17.4 Yes
Application atlassian confluence_server 7.18.0 Yes
Application atlassian crowd < 4.3.8 Yes
Application atlassian crowd < 4.4.2 Yes
Application atlassian crowd 5.0.0 Yes
Application atlassian crucible < 4.8.10 Yes
Application atlassian fisheye < 4.8.10 Yes
Application atlassian jira_data_center < 8.13.22 Yes
Application atlassian jira_data_center < 8.20.10 Yes
Application atlassian jira_data_center < 8.22.4 Yes
Application atlassian jira_server < 8.13.22 Yes
Application atlassian jira_server < 8.20.10 Yes
Application atlassian jira_server < 8.22.4 Yes
Application atlassian jira_service_desk < 4.13.22 Yes
Application atlassian jira_service_desk < 4.13.22 Yes
Application atlassian jira_service_management < 4.20.10 Yes
Application atlassian jira_service_management < 4.20.10 Yes
Application atlassian jira_service_management < 4.22.4 Yes
Application atlassian jira_service_management < 4.22.4 Yes
References