atlassian confluence CVE-2022-26136 vulnerability in Atlassian Products
Published on July 20, 2022

product logo product logo product logo product logo
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

NVD

Vulnerability Analysis

CVE-2022-26136 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.


Products Associated with CVE-2022-26136

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-26136 are published in these products:

Atlassian Confluence
 
Atlassian Bitbucket
 
Atlassian Crowd
 
Atlassian Crucible
 
Atlassian Fisheye
 
Atlassian Jira
 
Atlassian Bamboo
 
Atlassian Jira Service Desk
 

Affected Versions

Atlassian Bamboo Server: Atlassian Bamboo Data Center: Atlassian Bitbucket Server: Atlassian Bitbucket Data Center: Atlassian Confluence Server: Atlassian Confluence Data Center: Atlassian Crowd Server: Atlassian Crowd Data Center: Atlassian Crucible: Atlassian Fisheye: Atlassian Jira Core Server: Atlassian Jira Software Server: Atlassian Jira Software Data Center: Atlassian Jira Service Management Server: Atlassian Jira Service Management Data Center: atlassian bamboo: atlassian bitbucket: atlassian bitbucket: atlassian confluence_data_center: atlassian confluence_data_center: atlassian confluence_server: atlassian confluence_server: atlassian crowd: atlassian crowd: atlassian crucible: atlassian fisheye: atlassian jira_data_center: atlassian jira_server: atlassian jira_service_desk: atlassian jira_service_desk: atlassian jira_service_management: atlassian jira_service_management:

Exploit Probability

EPSS
0.58%
Percentile
68.43%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.