Skip to main content

Bamboo CVE-2022-26137

HIGH
Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
2022-07-20 security@atlassian.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 20, 2022 - 18:15 nvd
HIGH 8.8

DescriptionNVD

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

AnalysisAI

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-180. A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4. Affected products include: Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence Data Center, Atlassian Confluence Server, Atlassian Crowd. Version information: before 8.0.9.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Bamboo

View all
CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2016-5229 CRITICAL
9.8 Aug 02

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, w

CVE-2015-8360 CRITICAL
9.8 Feb 08

An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arb

CVE-2014-9757 CRITICAL
9.8 Feb 08

The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote con

CVE-2022-26136 CRITICAL
9.8 Jul 20

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used

CVE-2017-14589 CRITICAL
9.6 Dec 13

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. Rated critic

CVE-2015-6576 HIGH
8.8 Oct 03

Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execut

CVE-2015-8361 CRITICAL
9.1 Feb 08

Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, w

CVE-2017-14590 CRITICAL
9.1 Dec 13

Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. Rated critical s

CVE-2017-8907 HIGH
8.8 Jun 14

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project

CVE-2017-9514 HIGH
8.8 Oct 12

Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not

CVE-2023-22516 HIGH
8.8 Nov 21

This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.

Share

CVE-2022-26137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy