CVE Vulnerabilities

CVE-2022-26136

Improper Authentication

Published: Jul 20, 2022 | Modified: Aug 04, 2022
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Bamboo Atlassian 7.2.0 (including) 7.2.10 (excluding)
Bamboo Atlassian 8.0.0 (including) 8.0.9 (excluding)
Bamboo Atlassian 8.1.0 (including) 8.1.8 (excluding)
Bamboo Atlassian 8.2.0 (including) 8.2.4 (excluding)
Bitbucket Atlassian * 7.6.16 (excluding)
Bitbucket Atlassian 7.7.0 (including) 7.17.8 (excluding)
Bitbucket Atlassian 7.18.0 (including) 7.19.5 (excluding)
Bitbucket Atlassian 7.20.0 (including) 7.20.2 (excluding)
Bitbucket Atlassian 7.21.0 (including) 7.21.2 (excluding)
Bitbucket Atlassian 8.0.0 (including) 8.0.0 (including)
Bitbucket Atlassian 8.1.0 (including) 8.1.0 (including)
Confluence_data_center Atlassian * 7.4.17 (excluding)
Confluence_data_center Atlassian 7.5.0 (including) 7.13.7 (excluding)
Confluence_data_center Atlassian 7.14.0 (including) 7.14.3 (excluding)
Confluence_data_center Atlassian 7.15.0 (including) 7.15.2 (excluding)
Confluence_data_center Atlassian 7.16.0 (including) 7.16.4 (excluding)
Confluence_data_center Atlassian 7.17.0 (including) 7.17.4 (excluding)
Confluence_data_center Atlassian 7.18.0 (including) 7.18.0 (including)
Confluence_server Atlassian * 7.4.17 (excluding)
Confluence_server Atlassian 7.5.0 (including) 7.13.7 (excluding)
Confluence_server Atlassian 7.14.0 (including) 7.14.3 (excluding)
Confluence_server Atlassian 7.15.0 (including) 7.15.2 (excluding)
Confluence_server Atlassian 7.16.0 (including) 7.16.4 (excluding)
Confluence_server Atlassian 7.17.0 (including) 7.17.4 (excluding)
Confluence_server Atlassian 7.18.0 (including) 7.18.0 (including)
Crowd Atlassian * 4.3.8 (excluding)
Crowd Atlassian 4.4.0 (including) 4.4.2 (excluding)
Crowd Atlassian 5.0.0 (including) 5.0.0 (including)
Crucible Atlassian * 4.8.10 (excluding)
Fisheye Atlassian * 4.8.10 (excluding)
Jira_data_center Atlassian 8.13.0 (including) 8.13.22 (excluding)
Jira_data_center Atlassian 8.14.0 (including) 8.20.10 (excluding)
Jira_data_center Atlassian 8.21.0 (including) 8.22.4 (excluding)
Jira_server Atlassian 8.13.0 (including) 8.13.22 (excluding)
Jira_server Atlassian 8.14.0 (including) 8.20.10 (excluding)
Jira_server Atlassian 8.21.0 (including) 8.22.4 (excluding)
Jira_service_desk Atlassian * 4.13.22 (excluding)
Jira_service_management Atlassian 4.14.0 (including) 4.20.10 (excluding)
Jira_service_management Atlassian 4.21.0 (including) 4.22.4 (excluding)

Potential Mitigations

References