CVE-2022-26136

CWE-180CWE-287Improper Authentication3 documents3 sources
Severity
9.8CRITICAL
EPSS
0.3%
top 45.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
22
Atlassian Bamboo Data CenterAtlassian Bamboo ServerAtlassian Bitbucket Data Center+19 more
Timeline
PublishedJul 20
Latest updateJul 21

Description

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages26 packages

NVDatlassian/jira_service_management4.14.04.20.10+1
CVEListV5atlassian/jira_service_management_serverunspecified4.13.22+4
CVEListV5atlassian/jira_service_management_data_centerunspecified4.13.22+4
NVDatlassian/jira_server8.13.08.13.22+2

Patches

Patch: jira.atlassian.comPatch: jira.atlassian.comPatch: jira.atlassian.com

🔴Vulnerability Details

2
GHSA
GHSA-f3mv-w3v5-88qp: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps2022-07-21
CVEList
CVE-2022-26136: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps2022-07-20
CVE-2022-26136 (CRITICAL CVSS 9.8) | A vulnerability in multiple Atlassi | cvebase.io