CVE-2022-26137 — Incorrect Behavior Order: Validate Before Canonicalize in Atlassian Bamboo Data Center
Severity
8.8HIGHNVD
EPSS
0.1%
top 68.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 20
Latest updateJul 21
Description
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages26 packages
Patches
🔴Vulnerability Details
2GHSA▶
GHSA-fpj5-pcgc-34g7: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the ap↗2022-07-21
CVEList▶
CVE-2022-26137: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the ap↗2022-07-20