Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2022-26136

Incorrect Behavior Order: Validate Before Canonicalize

Published: Jul 20, 2022 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-26136
CWEhttps://cwe.mitre.org/data/definitions/180.html

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Weakness

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

Affected Software

Name Vendor Start Version End Version
Bamboo Atlassian 7.2.0 (including) 7.2.10 (excluding)
Bamboo Atlassian 8.0.0 (including) 8.0.9 (excluding)
Bamboo Atlassian 8.1.0 (including) 8.1.8 (excluding)
Bamboo Atlassian 8.2.0 (including) 8.2.4 (excluding)
Bitbucket Atlassian * 7.6.16 (excluding)
Bitbucket Atlassian 7.7.0 (including) 7.17.8 (excluding)
Bitbucket Atlassian 7.18.0 (including) 7.19.5 (excluding)
Bitbucket Atlassian 7.20.0 (including) 7.20.2 (excluding)
Bitbucket Atlassian 7.21.0 (including) 7.21.2 (excluding)
Bitbucket Atlassian 8.0.0 (including) 8.0.0 (including)
Bitbucket Atlassian 8.1.0 (including) 8.1.0 (including)
Confluence_data_center Atlassian * 7.4.17 (excluding)
Confluence_data_center Atlassian 7.5.0 (including) 7.13.7 (excluding)
Confluence_data_center Atlassian 7.14.0 (including) 7.14.3 (excluding)
Confluence_data_center Atlassian 7.15.0 (including) 7.15.2 (excluding)
Confluence_data_center Atlassian 7.16.0 (including) 7.16.4 (excluding)
Confluence_data_center Atlassian 7.17.0 (including) 7.17.4 (excluding)
Confluence_data_center Atlassian 7.18.0 (including) 7.18.0 (including)
Confluence_server Atlassian * 7.4.17 (excluding)
Confluence_server Atlassian 7.5.0 (including) 7.13.7 (excluding)
Confluence_server Atlassian 7.14.0 (including) 7.14.3 (excluding)
Confluence_server Atlassian 7.15.0 (including) 7.15.2 (excluding)
Confluence_server Atlassian 7.16.0 (including) 7.16.4 (excluding)
Confluence_server Atlassian 7.17.0 (including) 7.17.4 (excluding)
Confluence_server Atlassian 7.18.0 (including) 7.18.0 (including)
Crowd Atlassian * 4.3.8 (excluding)
Crowd Atlassian 4.4.0 (including) 4.4.2 (excluding)
Crowd Atlassian 5.0.0 (including) 5.0.0 (including)
Crucible Atlassian * 4.8.10 (excluding)
Fisheye Atlassian * 4.8.10 (excluding)
Jira_data_center Atlassian 8.13.0 (including) 8.13.22 (excluding)
Jira_data_center Atlassian 8.14.0 (including) 8.20.10 (excluding)
Jira_data_center Atlassian 8.21.0 (including) 8.22.4 (excluding)
Jira_server Atlassian 8.13.0 (including) 8.13.22 (excluding)
Jira_server Atlassian 8.14.0 (including) 8.20.10 (excluding)
Jira_server Atlassian 8.21.0 (including) 8.22.4 (excluding)
Jira_service_desk Atlassian * 4.13.22 (excluding)
Jira_service_management Atlassian 4.14.0 (including) 4.20.10 (excluding)
Jira_service_management Atlassian 4.21.0 (including) 4.22.4 (excluding)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use