CVE-2022-26137

20.07.2022, 18:15

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
atlassian	bamboo	7.2.0 ≤ 𝑥 < 7.2.10
atlassian	bamboo	8.0.0 ≤ 𝑥 < 8.0.9
atlassian	bamboo	8.1.0 ≤ 𝑥 < 8.1.8
atlassian	bamboo	8.2.0 ≤ 𝑥 < 8.2.4
atlassian	bitbucket	𝑥 < 7.6.16
atlassian	bitbucket	7.7.0 ≤ 𝑥 < 7.17.8
atlassian	bitbucket	7.18.0 ≤ 𝑥 < 7.19.5
atlassian	bitbucket	7.20.0 ≤ 𝑥 < 7.20.2
atlassian	bitbucket	7.21.0 ≤ 𝑥 < 7.21.2
atlassian	bitbucket	8.0.0
atlassian	bitbucket	8.1.0
atlassian	confluence_data_center	𝑥 < 7.4.17
atlassian	confluence_data_center	7.5.0 ≤ 𝑥 < 7.13.7
atlassian	confluence_data_center	7.14.0 ≤ 𝑥 < 7.14.3
atlassian	confluence_data_center	7.15.0 ≤ 𝑥 < 7.15.2
atlassian	confluence_data_center	7.16.0 ≤ 𝑥 < 7.16.4
atlassian	confluence_data_center	7.17.0 ≤ 𝑥 < 7.17.4
atlassian	confluence_data_center	7.18.0
atlassian	confluence_server	𝑥 < 7.4.17
atlassian	confluence_server	7.5.0 ≤ 𝑥 < 7.13.7
atlassian	confluence_server	7.14.0 ≤ 𝑥 < 7.14.3
atlassian	confluence_server	7.15.0 ≤ 𝑥 < 7.15.2
atlassian	confluence_server	7.16.0 ≤ 𝑥 < 7.16.4
atlassian	confluence_server	7.17.0 ≤ 𝑥 < 7.17.4
atlassian	confluence_server	7.18.0
atlassian	crowd	𝑥 < 4.3.8
atlassian	crowd	4.4.0 ≤ 𝑥 < 4.4.2
atlassian	crowd	5.0.0
atlassian	crucible	𝑥 < 4.8.10
atlassian	fisheye	𝑥 < 4.8.10
atlassian	jira_data_center	8.13.0 ≤ 𝑥 < 8.13.22
atlassian	jira_data_center	8.14.0 ≤ 𝑥 < 8.20.10
atlassian	jira_data_center	8.21.0 ≤ 𝑥 < 8.22.4
atlassian	jira_server	8.13.0 ≤ 𝑥 < 8.13.22
atlassian	jira_server	8.14.0 ≤ 𝑥 < 8.20.10
atlassian	jira_server	8.21.0 ≤ 𝑥 < 8.22.4
atlassian	jira_service_desk	𝑥 < 4.13.22
atlassian	jira_service_desk	𝑥 < 4.13.22
atlassian	jira_service_management	4.14.0 ≤ 𝑥 < 4.20.10
atlassian	jira_service_management	4.14.0 ≤ 𝑥 < 4.20.10
atlassian	jira_service_management	4.21.0 ≤ 𝑥 < 4.22.4
atlassian	jira_service_management	4.21.0 ≤ 𝑥 < 4.22.4

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
atlassian	bamboo	7.2.0 ≤ 𝑥 < 7.2.10	ADP
atlassian	bamboo	8.0.0 ≤ 𝑥 < 8.0.9	ADP
atlassian	bamboo	8.1.0 ≤ 𝑥 < 8.1.8	ADP
atlassian	bamboo	8.2.0 ≤ 𝑥 < 8.2.4	ADP
atlassian	bitbucket	𝑥 < 7.6.16	ADP
atlassian	bitbucket	7.7.0 ≤ 𝑥 < 7.17.8	ADP
atlassian	bitbucket	7.18.0 ≤ 𝑥 < 7.19.5	ADP
atlassian	bitbucket	7.20.1 ≤ 𝑥 < 7.20.2	ADP
atlassian	bitbucket	7.21.0 ≤ 𝑥 < 7.21.2	ADP
atlassian	confluence_data_center	𝑥 < 7.4.17	ADP
atlassian	confluence_data_center	7.5.0 ≤ 𝑥 < 7.13.7	ADP
atlassian	confluence_data_center	7.14.0 ≤ 𝑥 < 7.14.3	ADP
atlassian	confluence_data_center	7.15.0 ≤ 𝑥 < 7.15.2	ADP
atlassian	confluence_data_center	7.16.0 ≤ 𝑥 < 7.16.4	ADP
atlassian	confluence_data_center	7.17.0 ≤ 𝑥 < 7.17.4	ADP
atlassian	confluence_server	𝑥 < 7.4.17	ADP
atlassian	confluence_server	7.5.0 ≤ 𝑥 < 7.13.7	ADP
atlassian	confluence_server	7.14.0 ≤ 𝑥 < 7.14.3	ADP
atlassian	confluence_server	7.15.0 ≤ 𝑥 < 7.15.2	ADP
atlassian	confluence_server	7.16.0 ≤ 𝑥 < 7.16.4	ADP
atlassian	confluence_server	7.17.0 ≤ 𝑥 < 7.17.4	ADP
atlassian	crowd	𝑥 < 4.3.8	ADP
atlassian	crowd	4.4.0 ≤ 𝑥 < 4.4.2	ADP
atlassian	crucible	𝑥 < 4.8.10	ADP
atlassian	fisheye	𝑥 < 4.8.10	ADP
atlassian	jira_data_center	8.13.0 ≤ 𝑥 < 8.13.22	ADP
atlassian	jira_data_center	8.14.0 ≤ 𝑥 < 8.20.10	ADP
atlassian	jira_data_center	8.21.0 ≤ 𝑥 < 8.22.4	ADP
atlassian	jira_server	8.13.0 ≤ 𝑥 < 8.13.22	ADP
atlassian	jira_server	8.14.0 ≤ 𝑥 < 8.20.10	ADP
atlassian	jira_server	8.21.0 ≤ 𝑥 < 8.22.4	ADP
atlassian	jira_service_desk	𝑥 < 4.13.22	ADP
atlassian	jira_service_desk	𝑥 < 4.13.22	ADP
atlassian	jira_service_management	4.14.0 ≤ 𝑥 < 4.20.10	ADP
atlassian	jira_service_management	4.21.0 ≤ 𝑥 < 4.22.4	ADP
atlassian	jira_service_management	4.14.0 ≤ 𝑥 < 4.20.10	ADP
atlassian	jira_service_management	4.21.0 ≤ 𝑥 < 4.22.4	ADP

Common Weakness Enumeration

References

https://jira.atlassian.com/browse/BAM-21795

https://jira.atlassian.com/browse/BSERV-13370

https://jira.atlassian.com/browse/CONFSERVER-79476

https://jira.atlassian.com/browse/CRUC-8541

https://jira.atlassian.com/browse/CWD-5815

https://jira.atlassian.com/browse/FE-7410

https://jira.atlassian.com/browse/JRASERVER-73897

https://jira.atlassian.com/browse/JSDSERVER-11863