CVE-2022-26136
Published on: Not Yet Published
Last Modified on: 08/04/2022 03:50:00 PM UTC
Certain versions of Bamboo from Atlassian contain the following vulnerability:
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
- CVE-2022-26136 has been assigned by
[email protected] to track the vulnerability - currently rated as CRITICAL severity.
CVSS3 Score: 9.8 - CRITICAL
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | LOW | NONE | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| [BAM-21795] Bamboo: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/BAM-21795 |
| [JSDSERVER-11863] JSM: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/JSDSERVER-11863 |
| [CWD-5815] Crowd: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/CWD-5815 |
| [JRASERVER-73897] Jira: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/JRASERVER-73897 |
| [BSERV-13370] Bitbucket: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/BSERV-13370 |
| [CRUC-8541] Crucible: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/CRUC-8541 |
| [CONFSERVER-79476] Confluence: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/CONFSERVER-79476 |
| [FE-7410] Fisheye: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/FE-7410 |
Related QID Numbers
- 150559 Atlassian Jira Server and Data Center Multiple Servlet Filter Vulnerabilities(JRASERVER-73897)
- 730570 Atlassian Jira Server and Data Center Multiple Servlet Filter Vulnerabilities (JRASERVER-73897)
- 730571 Atlassian Jira Service Management Server and Data Center Multiple Servlet Filter Vulnerabilities (JSDSERVER-11863)
- 730572 Atlassian Confluence Server and Confluence Data Center Multiple Servlet Filter Vulnerabilities (CONFSERVER-79476)
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Atlassian | Bamboo | All | All | All | All |
| Application | Atlassian | Bitbucket | All | All | All | All |
| Application | Atlassian | Bitbucket | 8.0.0 | All | All | All |
| Application | Atlassian | Bitbucket | 8.1.0 | All | All | All |
| Application | Atlassian | Confluence Data Center | All | All | All | All |
| Application | Atlassian | Confluence Data Center | 7.18.0 | All | All | All |
| Application | Atlassian | Confluence Server | All | All | All | All |
| Application | Atlassian | Confluence Server | 7.18.0 | All | All | All |
| Application | Atlassian | Crowd | All | All | All | All |
| Application | Atlassian | Crowd | 5.0.0 | All | All | All |
| Application | Atlassian | Crucible | All | All | All | All |
| Application | Atlassian | Fisheye | All | All | All | All |
| Application | Atlassian | Jira Data Center | All | All | All | All |
| Application | Atlassian | Jira Server | All | All | All | All |
| Application | Atlassian | Jira Service Desk | All | All | All | All |
| Application | Atlassian | Jira Service Desk | All | All | All | All |
| Application | Atlassian | Jira Service Management | All | All | All | All |
| Application | Atlassian | Jira Service Management | All | All | All | All |
- cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*:
- cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*:
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*:
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @CVEreport |
CVE-2022-26136 : A vulnerability in multiple #Atlassian products allows a remote, unauthenticated attacker to bypas… twitter.com/i/web/status/1… | 2022-07-20 17:30:34 |
| @8C_8B |
CVE-2022-26138, CVE-2022-26136 & CVE-2022-26137 Atlassian is messing hard with my after work hours. :( If you use C… twitter.com/i/web/status/1… | 2022-07-20 20:44:25 |
| @CERTNZ |
Advisories here: confluence.atlassian.com/security/multi… confluence.atlassian.com/doc/questions-… | 2022-07-21 00:00:51 |
| @opsmatters_uk |
The latest update for #ArcticWolf includes "CVE-2022-26136 & CVE-2022-26137 - Multiple Critical Vulnerabilities in… twitter.com/i/web/status/1… | 2022-07-21 04:24:41 |
| @KuykendallTod |
confluence.atlassian.com/security/multi… | 2022-07-21 05:22:31 |
| @ClaudioKuenzler |
Stop your current task and focus on this one next. #Atlassian #CVE confluence.atlassian.com/security/multi… | 2022-07-21 06:19:30 |
| @NikkiZavi |
Multiple @Atlassian Products Security Advisory - CVE-2022-26136, CVE-2022-26137 community.atlassian.com/t5/Jira-articl…* | 2022-07-21 06:53:07 |
| @argevise |
CVE-2022-26136 & CVE-2022-26137 - Multiple Critical Vulnerabilities in Atlassian Products arcticwolf.com/resources/anal… | 2022-07-21 07:34:13 |
| @ipssignatures |
I know no IPS that has a protection/signature/rule for the vulnerability CVE-2022-26136. The vuln was published 0 d… twitter.com/i/web/status/1… | 2022-07-21 08:04:01 |
| @ipssignatures |
The vuln CVE-2022-26136 has a tweet created 0 days ago and retweeted 7 times. twitter.com/8C_8B/status/1… #Sfa65vbtvqpxka | 2022-07-21 08:04:01 |
| @MachinaRecord |
⚠️アトラシアンが重大な脆弱性を発表:CVE-2022-26136、 CVE-2022-26137 ??中国Deep Panda、新たな攻撃でLog4Shellを悪用 ??「ロシアにDDoS攻撃を仕掛ける」アプリ、ウクライナ活… twitter.com/i/web/status/1… | 2022-07-21 09:11:31 |
| @AWNetworks |
On Wednesday, July 20, 2022, Atlassian released patches to remediate two critical vulnerabilities (CVE-2022-26136 a… twitter.com/i/web/status/1… | 2022-07-21 13:35:25 |
| @AWNetworks |
Read Arctic Wolf's recommendations for these multiple critical vulnerabilities here: arcticwolf.com/resources/blog… #EndCyberRisk | 2022-07-21 13:35:26 |
| @IT_news_for_all |
/ Atlassian Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137 confluence.atlassian.com/security/multi…... t.me/s/it_news_for_… | 2022-07-21 16:07:10 |
| @ipssignatures |
The vuln CVE-2022-26136 has a tweet created 0 days ago and retweeted 10 times. twitter.com/8C_8B/status/1… #pow1rtrtwwcve | 2022-07-21 20:06:01 |
 /r/sysadmin |
Multiple Atlassian Products Security Advisory | 2022-07-20 17:31:08 |
| /r/netcve |
CVE-2022-26136 | 2022-07-20 18:38:28 |
| /r/blueteamsec |
Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137 | Atlassian Support | Atlassian Documentation | 2022-07-21 04:25:40 |