github - ghsa-f3mv-w3v5-88qp

ghsa-f3mv-w3v5-88qp

Vulnerability from github

Published

2022-07-21 00:00

Modified

2022-08-05 00:00

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-26136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-180",
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-20T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.",
  "id": "GHSA-f3mv-w3v5-88qp",
  "modified": "2022-08-05T00:00:28Z",
  "published": "2022-07-21T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26136"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/BAM-21795"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/BSERV-13370"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CRUC-8541"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CWD-5815"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/FE-7410"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-73897"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2022-26136 (GCVE-0-2022-26136)

Vulnerability from cvelistv5

Published

2022-07-20 17:25

Modified

2024-10-03 16:43

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize ().

Summary

References

URL

Tags

	https://jira.atlassian.com/browse/BAM-21795	x_refsource_MISC
	https://jira.atlassian.com/browse/BSERV-13370	x_refsource_MISC
	https://jira.atlassian.com/browse/CONFSERVER-79476	x_refsource_MISC
	https://jira.atlassian.com/browse/CWD-5815	x_refsource_MISC
	https://jira.atlassian.com/browse/FE-7410	x_refsource_MISC
	https://jira.atlassian.com/browse/CRUC-8541	x_refsource_MISC
	https://jira.atlassian.com/browse/JRASERVER-73897	x_refsource_MISC
	https://jira.atlassian.com/browse/JSDSERVER-11863	x_refsource_MISC

Impacted products

Vendor

Product

Version

Atlassian

Bamboo Server

Version: unspecified   < 8.0.9
Version: 8.1.0   < unspecified
Version: unspecified   < 8.1.8
Version: 8.2.0   < unspecified
Version: unspecified   < 8.2.4

Atlassian	Bamboo Data Center	Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4
Atlassian	Bitbucket Server	Version: unspecified < 7.6.16 Version: 7.7.0 < unspecified Version: 7.16.0 < unspecified Version: unspecified < 7.17.8 Version: 7.18.0 < unspecified Version: unspecified < 7.19.5 Version: 7.20.0 < unspecified Version: unspecified < 7.20.2 Version: 7.21.0 < unspecified Version: unspecified < 7.21.2 Version: 8.0.0 Version: 8.1.0
Atlassian	Bitbucket Data Center	Version: unspecified < 7.6.16 Version: 7.7.0 < unspecified Version: 7.16.0 < unspecified Version: unspecified < 7.17.8 Version: 7.18.0 < unspecified Version: unspecified < 7.19.5 Version: 7.20.0 < unspecified Version: unspecified < 7.20.2 Version: 7.21.0 < unspecified Version: unspecified < 7.21.2 Version: 8.0.0 Version: 8.1.0
Atlassian	Confluence Server	Version: unspecified < 7.4.17 Version: 7.5.0 < unspecified Version: unspecified < 7.13.7 Version: 7.14.0 < unspecified Version: unspecified < 7.14.3 Version: 7.15.0 < unspecified Version: unspecified < 7.15.2 Version: 7.16.0 < unspecified Version: unspecified < 7.16.4 Version: 7.17.0 < unspecified Version: unspecified < 7.17.4 Version: 7.18.0
Atlassian	Confluence Data Center	Version: unspecified < 7.4.17 Version: 7.5.0 < unspecified Version: unspecified < 7.13.7 Version: 7.14.0 < unspecified Version: unspecified < 7.14.3 Version: 7.15.0 < unspecified Version: unspecified < 7.15.2 Version: 7.16.0 < unspecified Version: unspecified < 7.16.4 Version: 7.17.0 < unspecified Version: unspecified < 7.17.4 Version: 7.18.0
Atlassian	Crowd Server	Version: unspecified < 4.3.8 Version: 4.4.0 < unspecified Version: unspecified < 4.4.2 Version: 5.0.0
Atlassian	Crowd Data Center	Version: unspecified < 4.3.8 Version: 4.4.0 < unspecified Version: unspecified < 4.4.2 Version: 5.0.0
Atlassian	Crucible	Version: unspecified < 4.8.10
Atlassian	Fisheye	Version: unspecified < 4.8.10
Atlassian	Jira Core Server	Version: unspecified < 8.13.22 Version: 8.14.0 < unspecified Version: unspecified < 8.20.10 Version: 8.21.0 < unspecified Version: unspecified < 8.22.4
Atlassian	Jira Software Server	Version: unspecified < 8.13.22 Version: 8.14.0 < unspecified Version: unspecified < 8.20.10 Version: 8.21.0 < unspecified Version: unspecified < 8.22.4
Atlassian	Jira Software Data Center	Version: unspecified < 8.13.22 Version: 8.14.0 < unspecified Version: unspecified < 8.20.10 Version: 8.21.0 < unspecified Version: unspecified < 8.22.4
Atlassian	Jira Service Management Server	Version: unspecified < 4.13.22 Version: 4.14.0 < unspecified Version: unspecified < 4.20.10 Version: 4.21.0 < unspecified Version: unspecified < 4.22.4
Atlassian	Jira Service Management Data Center	Version: unspecified < 4.13.22 Version: 4.14.0 < unspecified Version: unspecified < 4.20.10 Version: 4.21.0 < unspecified Version: unspecified < 4.22.4

Show details on NVD website