CVE-2022-26137

Vulnerability Summary

A vulnerability in multiple Atlassian products allows a remote, unauthenticated malicious user to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected prior to 8.0.9, from 8.1.0 prior to 8.1.8, and from 8.2.0 prior to 8.2.4. Atlassian Bitbucket versions are affected prior to 7.6.16, from 7.7.0 prior to 7.17.8, from 7.18.0 prior to 7.19.5, from 7.20.0 prior to 7.20.2, from 7.21.0 prior to 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected prior to 7.4.17, from 7.5.0 prior to 7.13.7, from 7.14.0 prior to 7.14.3, from 7.15.0 prior to 7.15.2, from 7.16.0 prior to 7.16.4, from 7.17.0 prior to 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected prior to 4.3.8, from 4.4.0 prior to 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions prior to 4.8.10 are affected. Atlassian Jira versions are affected prior to 8.13.22, from 8.14.0 prior to 8.20.10, and from 8.21.0 prior to 8.22.4. Atlassian Jira Service Management versions are affected prior to 4.13.22, from 4.14.0 prior to 4.20.10, and from 4.21.0 prior to 4.22.4.

Vulnerability Trend

Recent Articles

References