Vulnerabilites related to Atlassian - Bamboo Data Center
cve-2023-22516
Vulnerability from cvelistv5
Published
2023-11-21 18:00
Modified
2024-10-21 14:08
Severity ?
EPSS score ?
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.
JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)
Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was discovered by a private user and reported via our Bug Bounty program
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Data Center |
Version: >= 8.1.0 Version: >= 8.1.1 Version: >= 8.1.10 Version: >= 8.1.11 Version: >= 8.1.12 Version: >= 8.1.2 Version: >= 8.1.3 Version: >= 8.1.4 Version: >= 8.1.5 Version: >= 8.1.6 Version: >= 8.1.7 Version: >= 8.1.9 Version: >= 8.2.0 Version: >= 8.2.1 Version: >= 8.2.2 Version: >= 8.2.3 Version: >= 8.2.4 Version: >= 8.2.5 Version: >= 8.2.6 Version: >= 8.2.7 Version: >= 8.2.8 Version: >= 8.2.9 Version: >= 9.0.0 Version: >= 9.0.1 Version: >= 9.0.2 Version: >= 9.0.3 Version: >= 9.1.0 Version: >= 9.1.1 Version: >= 9.1.2 Version: >= 9.1.3 Version: >= 9.2.1 Version: >= 9.2.3 Version: >= 9.2.4 Version: >= 9.2.5 Version: >= 9.2.6 Version: >= 9.3.0 Version: >= 9.3.1 Version: >= 9.3.2 Version: >= 9.3.3 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:13:48.652Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573", }, { tags: [ "x_transferred", ], url: "https://jira.atlassian.com/browse/BAM-25168", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-22516", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-15T17:15:23.698292Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T14:08:32.586Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Bamboo Data Center", vendor: "Atlassian", versions: [ { status: "unaffected", version: "< 8.1.0", }, { status: "affected", version: ">= 8.1.0", }, { status: "affected", version: ">= 8.1.1", }, { status: "affected", version: ">= 8.1.10", }, { status: "affected", version: ">= 8.1.11", }, { status: "affected", version: ">= 8.1.12", }, { status: "affected", version: ">= 8.1.2", }, { status: "affected", version: ">= 8.1.3", }, { status: "affected", version: ">= 8.1.4", }, { status: "affected", version: ">= 8.1.5", }, { status: "affected", version: ">= 8.1.6", }, { status: "affected", version: ">= 8.1.7", }, { status: "affected", version: ">= 8.1.9", }, { status: "affected", version: ">= 8.2.0", }, { status: "affected", version: ">= 8.2.1", }, { status: "affected", version: ">= 8.2.2", }, { status: "affected", version: ">= 8.2.3", }, { status: "affected", version: ">= 8.2.4", }, { status: "affected", version: ">= 8.2.5", }, { status: "affected", version: ">= 8.2.6", }, { status: "affected", version: ">= 8.2.7", }, { status: "affected", version: ">= 8.2.8", }, { status: "affected", version: ">= 8.2.9", }, { status: "affected", version: ">= 9.0.0", }, { status: "affected", version: ">= 9.0.1", }, { status: "affected", version: ">= 9.0.2", }, { status: "affected", version: ">= 9.0.3", }, { status: "affected", version: ">= 9.1.0", }, { status: "affected", version: ">= 9.1.1", }, { status: "affected", version: ">= 9.1.2", }, { status: "affected", version: ">= 9.1.3", }, { status: "affected", version: ">= 9.2.1", }, { status: "affected", version: ">= 9.2.3", }, { status: "affected", version: ">= 9.2.4", }, { status: "affected", version: ">= 9.2.5", }, { status: "affected", version: ">= 9.2.6", }, { status: "affected", version: ">= 9.3.0", }, { status: "affected", version: ">= 9.3.1", }, { status: "affected", version: ">= 9.3.2", }, { status: "affected", version: ">= 9.3.3", }, { status: "unaffected", version: ">= 9.2.7", }, { status: "unaffected", version: ">= 9.3.4", }, ], }, { product: "Bamboo Server", vendor: "Atlassian", versions: [ { status: "unaffected", version: "< 8.1.0", }, { status: "affected", version: ">= 8.1.0", }, { status: "affected", version: ">= 8.1.1", }, { status: "affected", version: ">= 8.1.10", }, { status: "affected", version: ">= 8.1.11", }, { status: "affected", version: ">= 8.1.12", }, { status: "affected", version: ">= 8.1.2", }, { status: "affected", version: ">= 8.1.3", }, { status: "affected", version: ">= 8.1.4", }, { status: "affected", version: ">= 8.1.5", }, { status: "affected", version: ">= 8.1.6", }, { status: "affected", version: ">= 8.1.7", }, { status: "affected", version: ">= 8.1.9", }, { status: "affected", version: ">= 8.2.0", }, { status: "affected", version: ">= 8.2.1", }, { status: "affected", version: ">= 8.2.2", }, { status: "affected", version: ">= 8.2.3", }, { status: "affected", version: ">= 8.2.4", }, { status: "affected", version: ">= 8.2.5", }, { status: "affected", version: ">= 8.2.6", }, { status: "affected", version: ">= 8.2.7", }, { status: "affected", version: ">= 8.2.8", }, { status: "affected", version: ">= 8.2.9", }, { status: "affected", version: ">= 9.0.0", }, { status: "affected", version: ">= 9.0.1", }, { status: "affected", version: ">= 9.0.2", }, { status: "affected", version: ">= 9.0.3", }, { status: "affected", version: ">= 9.1.0", }, { status: "affected", version: ">= 9.1.1", }, { status: "affected", version: ">= 9.1.2", }, { status: "affected", version: ">= 9.1.3", }, { status: "affected", version: ">= 9.2.1", }, { status: "affected", version: ">= 9.2.3", }, { status: "affected", version: ">= 9.2.4", }, { status: "affected", version: ">= 9.2.5", }, { status: "affected", version: ">= 9.2.6", }, { status: "affected", version: ">= 9.3.0", }, { status: "affected", version: ">= 9.3.1", }, { status: "affected", version: ">= 9.3.2", }, { status: "affected", version: ">= 9.3.3", }, { status: "unaffected", version: ">= 9.2.7", }, { status: "unaffected", version: ">= 9.3.4", }, ], }, ], credits: [ { lang: "en", value: "a private user", }, ], descriptions: [ { lang: "en", value: "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.7.\r\n JDK 1.8u121+ should be used in case Java 8 used to run Bamboo Data Center and Server. See Bamboo 9.2 Upgrade notes (https://confluence.atlassian.com/bambooreleases/bamboo-9-2-upgrade-notes-1207179212.html)\r\n\r\n Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.4\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was discovered by a private user and reported via our Bug Bounty program", }, ], metrics: [ { cvssV3_0: { baseScore: 8.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "RCE (Remote Code Execution)", lang: "en", type: "RCE (Remote Code Execution)", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-21T18:00:00.752Z", orgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", shortName: "atlassian", }, references: [ { url: "https://confluence.atlassian.com/pages/viewpage.action?pageId=1318881573", }, { url: "https://jira.atlassian.com/browse/BAM-25168", }, ], }, }, cveMetadata: { assignerOrgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", assignerShortName: "atlassian", cveId: "CVE-2023-22516", datePublished: "2023-11-21T18:00:00.752Z", dateReserved: "2023-01-01T00:01:22.332Z", dateUpdated: "2024-10-21T14:08:32.586Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-26136
Vulnerability from cvelistv5
Published
2022-07-20 17:25
Modified
2024-10-03 16:43
Severity ?
EPSS score ?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-21795 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/BSERV-13370 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CONFSERVER-79476 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CWD-5815 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/FE-7410 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CRUC-8541 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-73897 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JSDSERVER-11863 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Server |
Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:56:37.592Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/BAM-21795", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/BSERV-13370", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/CONFSERVER-79476", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/CWD-5815", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/FE-7410", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/CRUC-8541", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/JRASERVER-73897", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/JSDSERVER-11863", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo", vendor: "atlassian", versions: [ { lessThan: "7.2.10", status: "affected", version: "7.2.0", versionType: "custom", }, { lessThan: "8.0.9", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThan: "8.1.8", status: "affected", version: "8.1.0", versionType: "custom", }, { lessThan: "8.2.4", status: "affected", version: "8.2.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bitbucket", vendor: "atlassian", versions: [ { lessThan: "7.6.16", status: "affected", version: "0", versionType: "custom", }, { lessThan: "7.17.8", status: "affected", version: "7.7.0", versionType: "custom", }, { lessThan: "7.19.5", status: "affected", version: "7.18.0", versionType: "custom", }, { lessThan: "7.20.2", status: "affected", version: "7.20.0", versionType: "custom", }, { lessThan: "7.21.2", status: "affected", version: "7.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bitbucket", vendor: "atlassian", versions: [ { status: "affected", version: "8.0.0", }, { status: "affected", version: "8.1.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_data_center", vendor: "atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "7.17.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_data_center", vendor: "atlassian", versions: [ { status: "affected", version: "7.18.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_server", vendor: "atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "7.17.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_server", vendor: "atlassian", versions: [ { status: "affected", version: "7.18.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "crowd", vendor: "atlassian", versions: [ { lessThan: "4.3.8", status: "affected", version: "0", versionType: "custom", }, { lessThan: "4.4.2", status: "affected", version: "4.4.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "crowd", vendor: "atlassian", versions: [ { status: "affected", version: "5.0.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "crucible", vendor: "atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "fisheye", vendor: "atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jira_data_center", vendor: "atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "8.13.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "8.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jira_server", vendor: "atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "8.13.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "8.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*", ], defaultStatus: "unknown", product: "jira_service_desk", vendor: "atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*", ], defaultStatus: "unknown", product: "jira_service_desk", vendor: "atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*", ], defaultStatus: "unknown", product: "jira_service_management", vendor: "atlassian", versions: [ { lessThan: "4.20.10", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "4.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*", ], defaultStatus: "unknown", product: "jira_service_management", vendor: "atlassian", versions: [ { lessThan: "4.20.10", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "4.21.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-26136", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T15:26:49.090400Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T16:43:16.268Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Bamboo Server", vendor: "Atlassian", versions: [ { lessThan: "8.0.9", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.1.0", versionType: "custom", }, { lessThan: "8.1.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.2.0", versionType: "custom", }, { lessThan: "8.2.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Bamboo Data Center", vendor: "Atlassian", versions: [ { lessThan: "8.0.9", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.1.0", versionType: "custom", }, { lessThan: "8.1.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.2.0", versionType: "custom", }, { lessThan: "8.2.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Bitbucket Server", vendor: "Atlassian", versions: [ { lessThan: "7.6.16", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.7.0", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.18.0", versionType: "custom", }, { lessThan: "7.19.5", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.20.0", versionType: "custom", }, { lessThan: "7.20.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.21.0", versionType: "custom", }, { lessThan: "7.21.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "8.0.0", }, { status: "affected", version: "8.1.0", }, ], }, { product: "Bitbucket Data Center", vendor: "Atlassian", versions: [ { lessThan: "7.6.16", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.7.0", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.18.0", versionType: "custom", }, { lessThan: "7.19.5", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.20.0", versionType: "custom", }, { lessThan: "7.20.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.21.0", versionType: "custom", }, { lessThan: "7.21.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "8.0.0", }, { status: "affected", version: "8.1.0", }, ], }, { product: "Confluence Server", vendor: "Atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.17.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "7.18.0", }, ], }, { product: "Confluence Data Center", vendor: "Atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.17.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "7.18.0", }, ], }, { product: "Crowd Server", vendor: "Atlassian", versions: [ { lessThan: "4.3.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.4.0", versionType: "custom", }, { lessThan: "4.4.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "5.0.0", }, ], }, { product: "Crowd Data Center", vendor: "Atlassian", versions: [ { lessThan: "4.3.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.4.0", versionType: "custom", }, { lessThan: "4.4.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "5.0.0", }, ], }, { product: "Crucible", vendor: "Atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Fisheye", vendor: "Atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Core Server", vendor: "Atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.21.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Software Server", vendor: "Atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.21.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Software Data Center", vendor: "Atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.21.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Service Management Server", vendor: "Atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.21.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Service Management Data Center", vendor: "Atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.21.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2022-07-20T00:00:00", descriptions: [ { lang: "en", value: "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-180", description: "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-20T17:25:18", orgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", shortName: "atlassian", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/BAM-21795", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/BSERV-13370", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/CONFSERVER-79476", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/CWD-5815", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/FE-7410", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/CRUC-8541", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/JRASERVER-73897", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/JSDSERVER-11863", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@atlassian.com", DATE_PUBLIC: "2022-07-20T00:00:00", ID: "CVE-2022-26136", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Bamboo Server", version: { version_data: [ { version_affected: "<", version_value: "8.0.9", }, { version_affected: ">=", version_value: "8.1.0", }, { version_affected: "<", version_value: "8.1.8", }, { version_affected: ">=", version_value: "8.2.0", }, { version_affected: "<", version_value: "8.2.4", }, ], }, }, { product_name: "Bamboo Data Center", version: { version_data: [ { version_affected: "<", version_value: "8.0.9", }, { version_affected: ">=", version_value: "8.1.0", }, { version_affected: "<", version_value: "8.1.8", }, { version_affected: ">=", version_value: "8.2.0", }, { version_affected: "<", version_value: "8.2.4", }, ], }, }, { product_name: "Bitbucket Server", version: { version_data: [ { version_affected: "<", version_value: "7.6.16", }, { version_affected: ">=", version_value: "7.7.0", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.17.8", }, { version_affected: ">=", version_value: "7.18.0", }, { version_affected: "<", version_value: "7.19.5", }, { version_affected: ">=", version_value: "7.20.0", }, { version_affected: "<", version_value: "7.20.2", }, { version_affected: ">=", version_value: "7.21.0", }, { version_affected: "<", version_value: "7.21.2", }, { version_affected: "=", version_value: "8.0.0", }, { version_affected: "=", version_value: "8.1.0", }, ], }, }, { product_name: "Bitbucket Data Center", version: { version_data: [ { version_affected: "<", version_value: "7.6.16", }, { version_affected: ">=", version_value: "7.7.0", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.17.8", }, { version_affected: ">=", version_value: "7.18.0", }, { version_affected: "<", version_value: "7.19.5", }, { version_affected: ">=", version_value: "7.20.0", }, { version_affected: "<", version_value: "7.20.2", }, { version_affected: ">=", version_value: "7.21.0", }, { version_affected: "<", version_value: "7.21.2", }, { version_affected: "=", version_value: "8.0.0", }, { version_affected: "=", version_value: "8.1.0", }, ], }, }, { product_name: "Confluence Server", version: { version_data: [ { version_affected: "<", version_value: "7.4.17", }, { version_affected: ">=", version_value: "7.5.0", }, { version_affected: "<", version_value: "7.13.7", }, { version_affected: ">=", version_value: "7.14.0", }, { version_affected: "<", version_value: "7.14.3", }, { version_affected: ">=", version_value: "7.15.0", }, { version_affected: "<", version_value: "7.15.2", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.16.4", }, { version_affected: ">=", version_value: "7.17.0", }, { version_affected: "<", version_value: "7.17.4", }, { version_affected: "=", version_value: "7.18.0", }, ], }, }, { product_name: "Confluence Data Center", version: { version_data: [ { version_affected: "<", version_value: "7.4.17", }, { version_affected: ">=", version_value: "7.5.0", }, { version_affected: "<", version_value: "7.13.7", }, { version_affected: ">=", version_value: "7.14.0", }, { version_affected: "<", version_value: "7.14.3", }, { version_affected: ">=", version_value: "7.15.0", }, { version_affected: "<", version_value: "7.15.2", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.16.4", }, { version_affected: ">=", version_value: "7.17.0", }, { version_affected: "<", version_value: "7.17.4", }, { version_affected: "=", version_value: "7.18.0", }, ], }, }, { product_name: "Crowd Server", version: { version_data: [ { version_affected: "<", version_value: "4.3.8", }, { version_affected: ">=", version_value: "4.4.0", }, { version_affected: "<", version_value: "4.4.2", }, { version_affected: "=", version_value: "5.0.0", }, ], }, }, { product_name: "Crowd Data Center", version: { version_data: [ { version_affected: "<", version_value: "4.3.8", }, { version_affected: ">=", version_value: "4.4.0", }, { version_affected: "<", version_value: "4.4.2", }, { version_affected: "=", version_value: "5.0.0", }, ], }, }, { product_name: "Crucible", version: { version_data: [ { version_affected: "<", version_value: "4.8.10", }, ], }, }, { product_name: "Fisheye", version: { version_data: [ { version_affected: "<", version_value: "4.8.10", }, ], }, }, { product_name: "Jira Core Server", version: { version_data: [ { version_affected: "<", version_value: "8.13.22", }, { version_affected: ">=", version_value: "8.14.0", }, { version_affected: "<", version_value: "8.20.10", }, { version_affected: ">=", version_value: "8.21.0", }, { version_affected: "<", version_value: "8.22.4", }, ], }, }, { product_name: "Jira Software Server", version: { version_data: [ { version_affected: "<", version_value: "8.13.22", }, { version_affected: ">=", version_value: "8.14.0", }, { version_affected: "<", version_value: "8.20.10", }, { version_affected: ">=", version_value: "8.21.0", }, { version_affected: "<", version_value: "8.22.4", }, ], }, }, { product_name: "Jira Software Data Center", version: { version_data: [ { version_affected: "<", version_value: "8.13.22", }, { version_affected: ">=", version_value: "8.14.0", }, { version_affected: "<", version_value: "8.20.10", }, { version_affected: ">=", version_value: "8.21.0", }, { version_affected: "<", version_value: "8.22.4", }, ], }, }, { product_name: "Jira Service Management Server", version: { version_data: [ { version_affected: "<", version_value: "4.13.22", }, { version_affected: ">=", version_value: "4.14.0", }, { version_affected: "<", version_value: "4.20.10", }, { version_affected: ">=", version_value: "4.21.0", }, { version_affected: "<", version_value: "4.22.4", }, ], }, }, { product_name: "Jira Service Management Data Center", version: { version_data: [ { version_affected: "<", version_value: "4.13.22", }, { version_affected: ">=", version_value: "4.14.0", }, { version_affected: "<", version_value: "4.20.10", }, { version_affected: ">=", version_value: "4.21.0", }, { version_affected: "<", version_value: "4.22.4", }, ], }, }, ], }, vendor_name: "Atlassian", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).", }, ], }, ], }, references: { reference_data: [ { name: "https://jira.atlassian.com/browse/BAM-21795", refsource: "MISC", url: "https://jira.atlassian.com/browse/BAM-21795", }, { name: "https://jira.atlassian.com/browse/BSERV-13370", refsource: "MISC", url: "https://jira.atlassian.com/browse/BSERV-13370", }, { name: "https://jira.atlassian.com/browse/CONFSERVER-79476", refsource: "MISC", url: "https://jira.atlassian.com/browse/CONFSERVER-79476", }, { name: "https://jira.atlassian.com/browse/CWD-5815", refsource: "MISC", url: "https://jira.atlassian.com/browse/CWD-5815", }, { name: "https://jira.atlassian.com/browse/FE-7410", refsource: "MISC", url: "https://jira.atlassian.com/browse/FE-7410", }, { name: "https://jira.atlassian.com/browse/CRUC-8541", refsource: "MISC", url: "https://jira.atlassian.com/browse/CRUC-8541", }, { name: "https://jira.atlassian.com/browse/JRASERVER-73897", refsource: "MISC", url: "https://jira.atlassian.com/browse/JRASERVER-73897", }, { name: "https://jira.atlassian.com/browse/JSDSERVER-11863", refsource: "MISC", url: "https://jira.atlassian.com/browse/JSDSERVER-11863", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", assignerShortName: "atlassian", cveId: "CVE-2022-26136", datePublished: "2022-07-20T17:25:18.803466Z", dateReserved: "2022-02-25T00:00:00", dateUpdated: "2024-10-03T16:43:16.268Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21689
Vulnerability from cvelistv5
Published
2024-08-20 10:00
Modified
2025-03-13 15:46
Severity ?
EPSS score ?
Summary
This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17
Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was reported via our Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Data Center |
Version: 9.6.0 to 9.6.4 Version: 9.5.0 to 9.5.4 Version: 9.4.0 to 9.4.4 Version: 9.3.0 to 9.3.6 Version: 9.2.1 to 9.2.16 Version: 9.1.0 to 9.1.3 |
||||||
|
|||||||||
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:atlassian:bamboo_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo_data_center", vendor: "atlassian", versions: [ { lessThan: "9.6.4", status: "affected", version: "9.6.0", versionType: "custom", }, { lessThan: "9.5.4", status: "affected", version: "9.5.0", versionType: "custom", }, { lessThan: "9.4.4", status: "affected", version: "9.4.0", versionType: "custom", }, { lessThan: "9.3.6", status: "affected", version: "9.3.0", versionType: "custom", }, { lessThan: "9.2.16", status: "affected", version: "9.2.1", versionType: "custom", }, { lessThan: "9.1.3", status: "affected", version: "9.1.0", versionType: "custom", }, { status: "unaffected", version: "9.6.5", }, { status: "unaffected", version: "9.2.17", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bamboo_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo_server", vendor: "atlassian", versions: [ { lessThan: "9.4.4", status: "affected", version: "0", versionType: "custom", }, { lessThan: "9.3.6", status: "affected", version: "9.3.0", versionType: "custom", }, { lessThan: "9.2.16", status: "affected", version: "9.2.1", versionType: "custom", }, { lessThan: "9.1.3", status: "affected", version: "9.1.0", versionType: "custom", }, { status: "unaffected", version: "9.2.17", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-21689", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-27T03:55:20.295438Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-13T15:46:54.670Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Bamboo Data Center", vendor: "Atlassian", versions: [ { status: "affected", version: "9.6.0 to 9.6.4", }, { status: "affected", version: "9.5.0 to 9.5.4", }, { status: "affected", version: "9.4.0 to 9.4.4", }, { status: "affected", version: "9.3.0 to 9.3.6", }, { status: "affected", version: "9.2.1 to 9.2.16", }, { status: "affected", version: "9.1.0 to 9.1.3", }, { status: "unaffected", version: "9.6.5", }, { status: "unaffected", version: "9.2.17", }, ], }, { product: "Bamboo Server", vendor: "Atlassian", versions: [ { status: "affected", version: "9.4.0 to 9.4.4", }, { status: "affected", version: "9.3.0 to 9.3.6", }, { status: "affected", version: "9.2.1 to 9.2.16", }, { status: "affected", version: "9.1.0 to 9.1.3", }, { status: "unaffected", version: "9.2.17", }, ], }, ], credits: [ { lang: "en", value: "Bug Bounty", }, ], descriptions: [ { lang: "en", value: "This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\r\n\r\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17\r\n\r\n Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Bug Bounty program.", }, ], metrics: [ { cvssV3_0: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "RCE (Remote Code Execution)", lang: "en", type: "RCE (Remote Code Execution)", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-20T10:00:00.967Z", orgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", shortName: "atlassian", }, references: [ { url: "https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667", }, { url: "https://jira.atlassian.com/browse/BAM-25858", }, ], }, }, cveMetadata: { assignerOrgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", assignerShortName: "atlassian", cveId: "CVE-2024-21689", datePublished: "2024-08-20T10:00:00.967Z", dateReserved: "2024-01-01T00:05:33.847Z", dateUpdated: "2025-03-13T15:46:54.670Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21687
Vulnerability from cvelistv5
Published
2024-07-16 20:30
Modified
2025-03-14 16:02
Severity ?
EPSS score ?
Summary
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server.
This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE
See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).
This vulnerability was reported via our Bug Bounty program.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Data Center |
Version: 9.6.0 to 9.6.3 Version: 9.5.0 to 9.5.4 Version: 9.4.0 to 9.4.4 Version: 9.3.0 to 9.3.6 Version: 9.2.1 to 9.2.15 Version: 9.1.0 to 9.1.3 |
||||||
|
|||||||||
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:atlassian:bamboo_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo_data_center", vendor: "atlassian", versions: [ { lessThan: "9.6.3", status: "affected", version: "9.6.0", versionType: "custom", }, { lessThan: "9.5.4", status: "affected", version: "9.5.0", versionType: "custom", }, { lessThan: "9.4.4", status: "affected", version: "9.4.0", versionType: "custom", }, { lessThan: "9.3.6", status: "affected", version: "9.3.0", versionType: "custom", }, { lessThan: "9.2.15", status: "affected", version: "9.2.1", versionType: "custom", }, { lessThan: "9.1.3", status: "affected", version: "9.1.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bamboo_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo_server", vendor: "atlassian", versions: [ { lessThan: "9.4.4", status: "affected", version: "9.4.0", versionType: "custom", }, { lessThan: "9.3.6", status: "affected", version: "9.3.0", versionType: "custom", }, { lessThan: "9.2.15", status: "affected", version: "9.2.1", versionType: "custom", }, { lessThan: "9.1.3", status: "affected", version: "9.1.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-21687", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T15:18:28.986939Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-98", description: "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-14T16:02:45.304Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:27:36.189Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917", }, { tags: [ "x_transferred", ], url: "https://jira.atlassian.com/browse/BAM-25822", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Bamboo Data Center", vendor: "Atlassian", versions: [ { status: "affected", version: "9.6.0 to 9.6.3", }, { status: "affected", version: "9.5.0 to 9.5.4", }, { status: "affected", version: "9.4.0 to 9.4.4", }, { status: "affected", version: "9.3.0 to 9.3.6", }, { status: "affected", version: "9.2.1 to 9.2.15", }, { status: "affected", version: "9.1.0 to 9.1.3", }, { status: "unaffected", version: "9.6.4", }, { status: "unaffected", version: "9.2.16", }, ], }, { product: "Bamboo Server", vendor: "Atlassian", versions: [ { status: "affected", version: "9.4.0 to 9.4.4", }, { status: "affected", version: "9.3.0 to 9.3.6", }, { status: "affected", version: "9.2.1 to 9.2.15", }, { status: "affected", version: "9.1.0 to 9.1.3", }, { status: "unaffected", version: "9.2.16", }, ], }, ], credits: [ { lang: "en", value: "Bug Bounty", }, ], descriptions: [ { lang: "en", value: "This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server.\n\nThis File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.\n\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE\n\nSee the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).\n\nThis vulnerability was reported via our Bug Bounty program.", }, ], metrics: [ { cvssV3_0: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "File Inclusion", lang: "en", type: "File Inclusion", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-16T20:30:00.385Z", orgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", shortName: "atlassian", }, references: [ { url: "https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917", }, { url: "https://jira.atlassian.com/browse/BAM-25822", }, ], }, }, cveMetadata: { assignerOrgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", assignerShortName: "atlassian", cveId: "CVE-2024-21687", datePublished: "2024-07-16T20:30:00.385Z", dateReserved: "2024-01-01T00:05:33.847Z", dateUpdated: "2025-03-14T16:02:45.304Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-22506
Vulnerability from cvelistv5
Published
2023-07-18 23:30
Modified
2024-10-01 17:07
Severity ?
EPSS score ?
Summary
This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to
modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.
Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html|https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives|https://www.atlassian.com/software/bamboo/download-archives]).
This vulnerability was reported via our Penetration Testing program.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Data Center |
Version: >= 8.0.0 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T10:13:48.523Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://jira.atlassian.com/browse/BAM-22400", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:atlassian:bamboo_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo_data_center", vendor: "atlassian", versions: [ { lessThan: "9.2.3", status: "affected", version: "8.0.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bamboo_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo_server", vendor: "atlassian", versions: [ { lessThan: "9.2.3", status: "affected", version: "8.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-22506", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-01T17:04:42.555058Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-01T17:07:21.233Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Bamboo Data Center", vendor: "Atlassian", versions: [ { status: "unaffected", version: "< 8.0.0", }, { status: "affected", version: ">= 8.0.0", }, { status: "unaffected", version: ">= 9.2.3", }, { status: "unaffected", version: ">= 9.3.1", }, ], }, { product: "Bamboo Server", vendor: "Atlassian", versions: [ { status: "unaffected", version: "< 8.0.0", }, { status: "affected", version: ">= 8.0.0", }, { status: "unaffected", version: ">= 9.2.3", }, { status: "unaffected", version: ">= 9.3.1", }, ], }, ], credits: [ { lang: "en", value: "a private user", }, ], descriptions: [ { lang: "en", value: "This High severity Injection and RCE (Remote Code Execution) vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center.\n \n\nThis Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to\nmodify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction.\n \n \nAtlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1. See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html|https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Bamboo Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives|https://www.atlassian.com/software/bamboo/download-archives]).\n \n\nThis vulnerability was reported via our Penetration Testing program.", }, ], metrics: [ { cvssV3_0: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Injection", lang: "en", type: "Injection", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-19T16:30:00.557Z", orgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", shortName: "atlassian", }, references: [ { url: "https://jira.atlassian.com/browse/BAM-22400", }, ], }, }, cveMetadata: { assignerOrgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", assignerShortName: "atlassian", cveId: "CVE-2023-22506", datePublished: "2023-07-18T23:30:00.342Z", dateReserved: "2023-01-01T00:01:22.329Z", dateUpdated: "2024-10-01T17:07:21.233Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-26137
Vulnerability from cvelistv5
Published
2022-07-20 17:25
Modified
2024-10-03 17:10
Severity ?
EPSS score ?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.atlassian.com/browse/BAM-21795 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/BSERV-13370 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CONFSERVER-79476 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CWD-5815 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/FE-7410 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/CRUC-8541 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-73897 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JSDSERVER-11863 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Atlassian | Bamboo Server |
Version: unspecified < 8.0.9 Version: 8.1.0 < unspecified Version: unspecified < 8.1.8 Version: 8.2.0 < unspecified Version: unspecified < 8.2.4 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:56:37.614Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/BAM-21795", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/BSERV-13370", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/CONFSERVER-79476", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/CWD-5815", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/FE-7410", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/CRUC-8541", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/JRASERVER-73897", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.atlassian.com/browse/JSDSERVER-11863", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bamboo", vendor: "atlassian", versions: [ { lessThan: "7.2.10", status: "affected", version: "7.2.0", versionType: "custom", }, { lessThan: "8.0.9", status: "affected", version: "8.0.0", versionType: "custom", }, { lessThan: "8.1.8", status: "affected", version: "8.1.0", versionType: "custom", }, { lessThan: "8.2.4", status: "affected", version: "8.2.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bitbucket", vendor: "atlassian", versions: [ { lessThan: "7.6.16", status: "affected", version: "0", versionType: "custom", }, { lessThan: "7.17.8", status: "affected", version: "7.7.0", versionType: "custom", }, { lessThan: "7.19.5", status: "affected", version: "7.18.0", versionType: "custom", }, { lessThan: "7.20.2", status: "affected", version: "7.20.1", versionType: "custom", }, { lessThan: "7.21.2", status: "affected", version: "7.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bitbucket", vendor: "atlassian", versions: [ { status: "affected", version: "8.0.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bitbucket", vendor: "atlassian", versions: [ { status: "affected", version: "8.1.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_data_center", vendor: "atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "7.17.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_data_center", vendor: "atlassian", versions: [ { status: "affected", version: "7.18.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_server", vendor: "atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "7.17.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "confluence_server", vendor: "atlassian", versions: [ { status: "affected", version: "7.18.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "crowd", vendor: "atlassian", versions: [ { lessThan: "4.3.8", status: "affected", version: "0", versionType: "custom", }, { lessThan: "4.4.2", status: "affected", version: "4.4.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "crowd", vendor: "atlassian", versions: [ { status: "affected", version: "5.0.0", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "crucible", vendor: "atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "fisheye", vendor: "atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jira_data_center", vendor: "atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "8.13.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "8.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jira_server", vendor: "atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "8.13.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "8.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*", ], defaultStatus: "unknown", product: "jira_service_desk", vendor: "atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*", ], defaultStatus: "unknown", product: "jira_service_desk", vendor: "atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*", ], defaultStatus: "unknown", product: "jira_service_management", vendor: "atlassian", versions: [ { lessThan: "4.20.10", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "4.21.0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*", ], defaultStatus: "unknown", product: "jira_service_management", vendor: "atlassian", versions: [ { lessThan: "4.20.10", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "4.21.0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-26137", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T16:48:52.174175Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T17:10:16.886Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Bamboo Server", vendor: "Atlassian", versions: [ { lessThan: "8.0.9", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.1.0", versionType: "custom", }, { lessThan: "8.1.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.2.0", versionType: "custom", }, { lessThan: "8.2.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Bamboo Data Center", vendor: "Atlassian", versions: [ { lessThan: "8.0.9", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.1.0", versionType: "custom", }, { lessThan: "8.1.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.2.0", versionType: "custom", }, { lessThan: "8.2.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Bitbucket Server", vendor: "Atlassian", versions: [ { lessThan: "7.6.16", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.7.0", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.18.0", versionType: "custom", }, { lessThan: "7.19.5", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.20.0", versionType: "custom", }, { lessThan: "7.20.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.21.0", versionType: "custom", }, { lessThan: "7.21.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "8.0.0", }, { status: "affected", version: "8.1.0", }, ], }, { product: "Bitbucket Data Center", vendor: "Atlassian", versions: [ { lessThan: "7.6.16", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.7.0", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.17.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.18.0", versionType: "custom", }, { lessThan: "7.19.5", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.20.0", versionType: "custom", }, { lessThan: "7.20.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.21.0", versionType: "custom", }, { lessThan: "7.21.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "8.0.0", }, { status: "affected", version: "8.1.0", }, ], }, { product: "Confluence Server", vendor: "Atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.17.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "7.18.0", }, ], }, { product: "Confluence Data Center", vendor: "Atlassian", versions: [ { lessThan: "7.4.17", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.5.0", versionType: "custom", }, { lessThan: "7.13.7", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.14.0", versionType: "custom", }, { lessThan: "7.14.3", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.15.0", versionType: "custom", }, { lessThan: "7.15.2", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.16.0", versionType: "custom", }, { lessThan: "7.16.4", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "7.17.0", versionType: "custom", }, { lessThan: "7.17.4", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "7.18.0", }, ], }, { product: "Crowd Server", vendor: "Atlassian", versions: [ { lessThan: "4.3.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.4.0", versionType: "custom", }, { lessThan: "4.4.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "5.0.0", }, ], }, { product: "Crowd Data Center", vendor: "Atlassian", versions: [ { lessThan: "4.3.8", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.4.0", versionType: "custom", }, { lessThan: "4.4.2", status: "affected", version: "unspecified", versionType: "custom", }, { status: "affected", version: "5.0.0", }, ], }, { product: "Crucible", vendor: "Atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Fisheye", vendor: "Atlassian", versions: [ { lessThan: "4.8.10", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Core Server", vendor: "Atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.21.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Software Server", vendor: "Atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.21.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Software Data Center", vendor: "Atlassian", versions: [ { lessThan: "8.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.14.0", versionType: "custom", }, { lessThan: "8.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "8.21.0", versionType: "custom", }, { lessThan: "8.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Service Management Server", vendor: "Atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.21.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, { product: "Jira Service Management Data Center", vendor: "Atlassian", versions: [ { lessThan: "4.13.22", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.14.0", versionType: "custom", }, { lessThan: "4.20.10", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "4.21.0", versionType: "custom", }, { lessThan: "4.22.4", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2022-07-20T00:00:00", descriptions: [ { lang: "en", value: "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-180", description: "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-20T17:25:23", orgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", shortName: "atlassian", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/BAM-21795", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/BSERV-13370", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/CONFSERVER-79476", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/CWD-5815", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/FE-7410", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/CRUC-8541", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/JRASERVER-73897", }, { tags: [ "x_refsource_MISC", ], url: "https://jira.atlassian.com/browse/JSDSERVER-11863", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@atlassian.com", DATE_PUBLIC: "2022-07-20T00:00:00", ID: "CVE-2022-26137", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Bamboo Server", version: { version_data: [ { version_affected: "<", version_value: "8.0.9", }, { version_affected: ">=", version_value: "8.1.0", }, { version_affected: "<", version_value: "8.1.8", }, { version_affected: ">=", version_value: "8.2.0", }, { version_affected: "<", version_value: "8.2.4", }, ], }, }, { product_name: "Bamboo Data Center", version: { version_data: [ { version_affected: "<", version_value: "8.0.9", }, { version_affected: ">=", version_value: "8.1.0", }, { version_affected: "<", version_value: "8.1.8", }, { version_affected: ">=", version_value: "8.2.0", }, { version_affected: "<", version_value: "8.2.4", }, ], }, }, { product_name: "Bitbucket Server", version: { version_data: [ { version_affected: "<", version_value: "7.6.16", }, { version_affected: ">=", version_value: "7.7.0", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.17.8", }, { version_affected: ">=", version_value: "7.18.0", }, { version_affected: "<", version_value: "7.19.5", }, { version_affected: ">=", version_value: "7.20.0", }, { version_affected: "<", version_value: "7.20.2", }, { version_affected: ">=", version_value: "7.21.0", }, { version_affected: "<", version_value: "7.21.2", }, { version_affected: "=", version_value: "8.0.0", }, { version_affected: "=", version_value: "8.1.0", }, ], }, }, { product_name: "Bitbucket Data Center", version: { version_data: [ { version_affected: "<", version_value: "7.6.16", }, { version_affected: ">=", version_value: "7.7.0", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.17.8", }, { version_affected: ">=", version_value: "7.18.0", }, { version_affected: "<", version_value: "7.19.5", }, { version_affected: ">=", version_value: "7.20.0", }, { version_affected: "<", version_value: "7.20.2", }, { version_affected: ">=", version_value: "7.21.0", }, { version_affected: "<", version_value: "7.21.2", }, { version_affected: "=", version_value: "8.0.0", }, { version_affected: "=", version_value: "8.1.0", }, ], }, }, { product_name: "Confluence Server", version: { version_data: [ { version_affected: "<", version_value: "7.4.17", }, { version_affected: ">=", version_value: "7.5.0", }, { version_affected: "<", version_value: "7.13.7", }, { version_affected: ">=", version_value: "7.14.0", }, { version_affected: "<", version_value: "7.14.3", }, { version_affected: ">=", version_value: "7.15.0", }, { version_affected: "<", version_value: "7.15.2", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.16.4", }, { version_affected: ">=", version_value: "7.17.0", }, { version_affected: "<", version_value: "7.17.4", }, { version_affected: "=", version_value: "7.18.0", }, ], }, }, { product_name: "Confluence Data Center", version: { version_data: [ { version_affected: "<", version_value: "7.4.17", }, { version_affected: ">=", version_value: "7.5.0", }, { version_affected: "<", version_value: "7.13.7", }, { version_affected: ">=", version_value: "7.14.0", }, { version_affected: "<", version_value: "7.14.3", }, { version_affected: ">=", version_value: "7.15.0", }, { version_affected: "<", version_value: "7.15.2", }, { version_affected: ">=", version_value: "7.16.0", }, { version_affected: "<", version_value: "7.16.4", }, { version_affected: ">=", version_value: "7.17.0", }, { version_affected: "<", version_value: "7.17.4", }, { version_affected: "=", version_value: "7.18.0", }, ], }, }, { product_name: "Crowd Server", version: { version_data: [ { version_affected: "<", version_value: "4.3.8", }, { version_affected: ">=", version_value: "4.4.0", }, { version_affected: "<", version_value: "4.4.2", }, { version_affected: "=", version_value: "5.0.0", }, ], }, }, { product_name: "Crowd Data Center", version: { version_data: [ { version_affected: "<", version_value: "4.3.8", }, { version_affected: ">=", version_value: "4.4.0", }, { version_affected: "<", version_value: "4.4.2", }, { version_affected: "=", version_value: "5.0.0", }, ], }, }, { product_name: "Crucible", version: { version_data: [ { version_affected: "<", version_value: "4.8.10", }, ], }, }, { product_name: "Fisheye", version: { version_data: [ { version_affected: "<", version_value: "4.8.10", }, ], }, }, { product_name: "Jira Core Server", version: { version_data: [ { version_affected: "<", version_value: "8.13.22", }, { version_affected: ">=", version_value: "8.14.0", }, { version_affected: "<", version_value: "8.20.10", }, { version_affected: ">=", version_value: "8.21.0", }, { version_affected: "<", version_value: "8.22.4", }, ], }, }, { product_name: "Jira Software Server", version: { version_data: [ { version_affected: "<", version_value: "8.13.22", }, { version_affected: ">=", version_value: "8.14.0", }, { version_affected: "<", version_value: "8.20.10", }, { version_affected: ">=", version_value: "8.21.0", }, { version_affected: "<", version_value: "8.22.4", }, ], }, }, { product_name: "Jira Software Data Center", version: { version_data: [ { version_affected: "<", version_value: "8.13.22", }, { version_affected: ">=", version_value: "8.14.0", }, { version_affected: "<", version_value: "8.20.10", }, { version_affected: ">=", version_value: "8.21.0", }, { version_affected: "<", version_value: "8.22.4", }, ], }, }, { product_name: "Jira Service Management Server", version: { version_data: [ { version_affected: "<", version_value: "4.13.22", }, { version_affected: ">=", version_value: "4.14.0", }, { version_affected: "<", version_value: "4.20.10", }, { version_affected: ">=", version_value: "4.21.0", }, { version_affected: "<", version_value: "4.22.4", }, ], }, }, { product_name: "Jira Service Management Data Center", version: { version_data: [ { version_affected: "<", version_value: "4.13.22", }, { version_affected: ">=", version_value: "4.14.0", }, { version_affected: "<", version_value: "4.20.10", }, { version_affected: ">=", version_value: "4.21.0", }, { version_affected: "<", version_value: "4.22.4", }, ], }, }, ], }, vendor_name: "Atlassian", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)", }, ], }, ], }, references: { reference_data: [ { name: "https://jira.atlassian.com/browse/BAM-21795", refsource: "MISC", url: "https://jira.atlassian.com/browse/BAM-21795", }, { name: "https://jira.atlassian.com/browse/BSERV-13370", refsource: "MISC", url: "https://jira.atlassian.com/browse/BSERV-13370", }, { name: "https://jira.atlassian.com/browse/CONFSERVER-79476", refsource: "MISC", url: "https://jira.atlassian.com/browse/CONFSERVER-79476", }, { name: "https://jira.atlassian.com/browse/CWD-5815", refsource: "MISC", url: "https://jira.atlassian.com/browse/CWD-5815", }, { name: "https://jira.atlassian.com/browse/FE-7410", refsource: "MISC", url: "https://jira.atlassian.com/browse/FE-7410", }, { name: "https://jira.atlassian.com/browse/CRUC-8541", refsource: "MISC", url: "https://jira.atlassian.com/browse/CRUC-8541", }, { name: "https://jira.atlassian.com/browse/JRASERVER-73897", refsource: "MISC", url: "https://jira.atlassian.com/browse/JRASERVER-73897", }, { name: "https://jira.atlassian.com/browse/JSDSERVER-11863", refsource: "MISC", url: "https://jira.atlassian.com/browse/JSDSERVER-11863", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", assignerShortName: "atlassian", cveId: "CVE-2022-26137", datePublished: "2022-07-20T17:25:23.603830Z", dateReserved: "2022-02-25T00:00:00", dateUpdated: "2024-10-03T17:10:16.886Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }