CVE-2022-26137
Published on: Not Yet Published
Last Modified on: 08/04/2022 03:45:00 PM UTC
Certain versions of Bamboo from Atlassian contain the following vulnerability:
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
- CVE-2022-26137 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.8 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | LOW | NONE | REQUIRED |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| [BAM-21795] Bamboo: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/BAM-21795 |
| [JSDSERVER-11863] JSM: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/JSDSERVER-11863 |
| [CWD-5815] Crowd: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/CWD-5815 |
| [JRASERVER-73897] Jira: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/JRASERVER-73897 |
| [BSERV-13370] Bitbucket: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/BSERV-13370 |
| [CRUC-8541] Crucible: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/CRUC-8541 |
| [CONFSERVER-79476] Confluence: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/CONFSERVER-79476 |
| [FE-7410] Fisheye: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/FE-7410 |
Related QID Numbers
- 150559 Atlassian Jira Server and Data Center Multiple Servlet Filter Vulnerabilities(JRASERVER-73897)
- 730570 Atlassian Jira Server and Data Center Multiple Servlet Filter Vulnerabilities (JRASERVER-73897)
- 730571 Atlassian Jira Service Management Server and Data Center Multiple Servlet Filter Vulnerabilities (JSDSERVER-11863)
- 730572 Atlassian Confluence Server and Confluence Data Center Multiple Servlet Filter Vulnerabilities (CONFSERVER-79476)
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Atlassian | Bamboo | All | All | All | All |
| Application | Atlassian | Bitbucket | All | All | All | All |
| Application | Atlassian | Bitbucket | 8.0.0 | All | All | All |
| Application | Atlassian | Bitbucket | 8.1.0 | All | All | All |
| Application | Atlassian | Confluence Data Center | All | All | All | All |
| Application | Atlassian | Confluence Data Center | 7.18.0 | All | All | All |
| Application | Atlassian | Confluence Server | All | All | All | All |
| Application | Atlassian | Confluence Server | 7.18.0 | All | All | All |
| Application | Atlassian | Crowd | All | All | All | All |
| Application | Atlassian | Crowd | 5.0.0 | All | All | All |
| Application | Atlassian | Crucible | All | All | All | All |
| Application | Atlassian | Fisheye | All | All | All | All |
| Application | Atlassian | Jira Data Center | All | All | All | All |
| Application | Atlassian | Jira Server | All | All | All | All |
| Application | Atlassian | Jira Service Desk | All | All | All | All |
| Application | Atlassian | Jira Service Desk | All | All | All | All |
| Application | Atlassian | Jira Service Management | All | All | All | All |
| Application | Atlassian | Jira Service Management | All | All | All | All |
- cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*:
- cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*:
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*:
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @CVEreport |
CVE-2022-26137 : A vulnerability in multiple #Atlassian products allows a remote, unauthenticated attacker to cause… twitter.com/i/web/status/1… | 2022-07-20 17:30:59 |
| @8C_8B |
CVE-2022-26138, CVE-2022-26136 & CVE-2022-26137 Atlassian is messing hard with my after work hours. :( If you use C… twitter.com/i/web/status/1… | 2022-07-20 20:44:25 |
| @rheijdendael |
CVE-2022-26138 and CVE-2022-26137 | 2022-07-20 21:44:22 |
| @CERTNZ |
Advisories here: confluence.atlassian.com/security/multi… confluence.atlassian.com/doc/questions-… | 2022-07-21 00:00:51 |
| @opsmatters_uk |
The latest update for #ArcticWolf includes "CVE-2022-26136 & CVE-2022-26137 - Multiple Critical Vulnerabilities in… twitter.com/i/web/status/1… | 2022-07-21 04:24:41 |
| @KuykendallTod |
confluence.atlassian.com/security/multi… | 2022-07-21 05:22:31 |
| @ClaudioKuenzler |
Stop your current task and focus on this one next. #Atlassian #CVE confluence.atlassian.com/security/multi… | 2022-07-21 06:19:30 |
| @NikkiZavi |
Multiple @Atlassian Products Security Advisory - CVE-2022-26136, CVE-2022-26137 community.atlassian.com/t5/Jira-articl…* | 2022-07-21 06:53:07 |
| @argevise |
CVE-2022-26136 & CVE-2022-26137 - Multiple Critical Vulnerabilities in Atlassian Products arcticwolf.com/resources/anal… | 2022-07-21 07:34:13 |
| @ipssignatures |
I know no IPS that has a protection/signature/rule for the vulnerability CVE-2022-26137. The vuln was published 0 d… twitter.com/i/web/status/1… | 2022-07-21 08:04:02 |
| @ipssignatures |
The vuln CVE-2022-26137 has a tweet created 0 days ago and retweeted 7 times. twitter.com/8C_8B/status/1… #Sv76xgqxm3poke | 2022-07-21 08:04:02 |
| @MachinaRecord |
⚠️アトラシアンが重大な脆弱性を発表:CVE-2022-26136、 CVE-2022-26137 ??中国Deep Panda、新たな攻撃でLog4Shellを悪用 ??「ロシアにDDoS攻撃を仕掛ける」アプリ、ウクライナ活… twitter.com/i/web/status/1… | 2022-07-21 09:11:31 |
| @AWNetworks |
Read Arctic Wolf's recommendations for these multiple critical vulnerabilities here: arcticwolf.com/resources/blog… #EndCyberRisk | 2022-07-21 13:35:26 |
| @IT_news_for_all |
/ Atlassian Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137 confluence.atlassian.com/security/multi…... t.me/s/it_news_for_… | 2022-07-21 16:07:10 |
| @ipssignatures |
The vuln CVE-2022-26137 has a tweet created 0 days ago and retweeted 10 times. twitter.com/8C_8B/status/1… #pow1rtrtwwcve | 2022-07-21 20:06:01 |
 /r/sysadmin |
Multiple Atlassian Products Security Advisory | 2022-07-20 17:31:08 |
| /r/netcve |
CVE-2022-26137 | 2022-07-20 18:38:29 |
| /r/blueteamsec |
Multiple Products Security Advisory - CVE-2022-26136, CVE-2022-26137 | Atlassian Support | Atlassian Documentation | 2022-07-21 04:25:40 |