atlassian confluence CVE-2022-26137 vulnerability in Atlassian Products
Published on July 20, 2022

product logo product logo product logo product logo
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victims permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

NVD

Vulnerability Analysis

CVE-2022-26137 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step. This can be used by an attacker to bypass the validation and launch attacks that expose weaknesses that would otherwise be prevented, such as injection.


Products Associated with CVE-2022-26137

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-26137 are published in these products:

Atlassian Confluence
 
Atlassian Bitbucket
 
Atlassian Crowd
 
Atlassian Crucible
 
Atlassian Fisheye
 
Atlassian Jira
 
Atlassian Bamboo
 
Atlassian Jira Service Desk
 

Affected Versions

Atlassian Bamboo Server: Atlassian Bamboo Data Center: Atlassian Bitbucket Server: Atlassian Bitbucket Data Center: Atlassian Confluence Server: Atlassian Confluence Data Center: Atlassian Crowd Server: Atlassian Crowd Data Center: Atlassian Crucible: Atlassian Fisheye: Atlassian Jira Core Server: Atlassian Jira Software Server: Atlassian Jira Software Data Center: Atlassian Jira Service Management Server: Atlassian Jira Service Management Data Center: atlassian bamboo: atlassian bitbucket: atlassian bitbucket: atlassian bitbucket: atlassian confluence_data_center: atlassian confluence_data_center: atlassian confluence_server: atlassian confluence_server: atlassian crowd: atlassian crowd: atlassian crucible: atlassian fisheye: atlassian jira_data_center: atlassian jira_server: atlassian jira_service_desk: atlassian jira_service_desk: atlassian jira_service_management: atlassian jira_service_management:

Exploit Probability

EPSS
0.22%
Percentile
44.58%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.