CVE-2022-26136 : A vulnerability in multiple Atlassian products allows a remote, unauthenticated

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Published 2022-07-20 18:15:08

Updated 2024-10-03 17:35:01

Source Atlassian

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-26136

Atlassian » Fisheye
Versions before (<) 4.8.10
cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Crucible
Versions before (<) 4.8.10
cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bamboo
Versions from including (>=) 8.0.0 and before (<) 8.0.9
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bamboo
Versions from including (>=) 7.2.0 and before (<) 7.2.10
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bamboo
Versions from including (>=) 8.2.0 and before (<) 8.2.4
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bamboo
Versions from including (>=) 8.1.0 and before (<) 8.1.8
cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Crowd
Versions before (<) 4.3.8
cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Crowd
Versions from including (>=) 4.4.0 and before (<) 4.4.2
cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Crowd » Version: 5.0.0
cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Service Desk » Data Center Edition
Versions before (<) 4.13.22
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*
Matching versions
Atlassian » Jira Service Desk » Server Edition
Versions before (<) 4.13.22
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.18.0 and before (<) 7.19.5
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.7.0 and before (<) 7.17.8
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.20.0 and before (<) 7.20.2
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.21.0 and before (<) 7.21.2
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions before (<) 7.6.16
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket » Version: 8.0.0
cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket » Version: 8.1.0
cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Service Management » Server Edition
Versions from including (>=) 4.21.0 and before (<) 4.22.4
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*
Matching versions
Atlassian » Jira Service Management » Server Edition
Versions from including (>=) 4.14.0 and before (<) 4.20.10
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*
Matching versions
Atlassian » Jira Service Management » Data Center Edition
Versions from including (>=) 4.21.0 and before (<) 4.22.4
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*
Matching versions
Atlassian » Jira Service Management » Data Center Edition
Versions from including (>=) 4.14.0 and before (<) 4.20.10
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*
Matching versions
Atlassian » Confluence Server
Versions from including (>=) 7.16.0 and before (<) 7.16.4
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Server
Versions from including (>=) 7.17.0 and before (<) 7.17.4
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Server
Versions before (<) 7.4.17
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Server
Versions from including (>=) 7.15.0 and before (<) 7.15.2
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Server
Versions from including (>=) 7.14.0 and before (<) 7.14.3
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Server
Versions from including (>=) 7.5.0 and before (<) 7.13.7
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Server » Version: 7.18.0
cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Server
Versions from including (>=) 8.13.0 and before (<) 8.13.22
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Server
Versions from including (>=) 8.21.0 and before (<) 8.22.4
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Server
Versions from including (>=) 8.14.0 and before (<) 8.20.10
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Data Center
Versions from including (>=) 8.14.0 and before (<) 8.20.10
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Data Center
Versions from including (>=) 8.13.0 and before (<) 8.13.22
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Jira Data Center
Versions from including (>=) 8.21.0 and before (<) 8.22.4
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center
Versions from including (>=) 7.17.0 and before (<) 7.17.4
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center
Versions from including (>=) 7.5.0 and before (<) 7.13.7
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center
Versions from including (>=) 7.15.0 and before (<) 7.15.2
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center
Versions before (<) 7.4.17
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center
Versions from including (>=) 7.16.0 and before (<) 7.16.4
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center
Versions from including (>=) 7.14.0 and before (<) 7.14.3
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Confluence Data Center » Version: 7.18.0
cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2022-26136

Top countries where our scanners detected CVE-2022-26136

Top open port discovered on systems with this issue 443

IPs affected by CVE-2022-26136 809

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2022-26136!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2022-26136

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-26136

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-10-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-26136

CWE-180 Incorrect Behavior Order: Validate Before Canonicalize

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

Assigned by: security@atlassian.com (Secondary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-26136

https://jira.atlassian.com/browse/BSERV-13370

[BSERV-13370] Bitbucket: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/CWD-5815

[CWD-5815] Crowd: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/CONFSERVER-79476

[CONFSERVER-79476] Confluence: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/FE-7410

[FE-7410] Fisheye: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/BAM-21795

[BAM-21795] Bamboo: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/CRUC-8541

[CRUC-8541] Crucible: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/JRASERVER-73897

[JRASERVER-73897] Jira: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url
https://jira.atlassian.com/browse/JSDSERVER-11863

[JSDSERVER-11863] JSM: Multiple Servlet Filter Vulnerabilities - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Vendor Advisory

CVEs referencing this url