Search criteria
60 vulnerabilities found for bitbucket by atlassian
FKIE_CVE-2022-43781
Vulnerability from fkie_nvd - Published: 2022-11-17 00:15 - Updated: 2024-11-21 07:27
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://confluence.atlassian.com/x/Y4hXRg | Mitigation, Release Notes, Vendor Advisory | |
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-13522 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://confluence.atlassian.com/x/Y4hXRg | Mitigation, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-13522 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "724D75B1-262B-4834-BDF9-359992FE358F",
"versionEndExcluding": "7.6.19",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DDB30B8-27BB-4754-A801-CC6D7FBD112D",
"versionEndExcluding": "7.17.12",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C46D83C6-2375-4187-9A5F-1AD81A6520DA",
"versionEndExcluding": "7.21.6",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18D68073-ED08-433F-9EB3-6BE4D58B08E6",
"versionEndExcluding": "8.0.5",
"versionStartIncluding": "7.22.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C1B0213-8CA7-4179-90D3-FCFE8BBE33BA",
"versionEndExcluding": "8.1.5",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0D270F32-1BB2-46F8-8737-4CB39508EDD4",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF6224A3-4AD8-4DA7-8E68-A890B3915337",
"versionEndExcluding": "8.3.3",
"versionStartIncluding": "8.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "224634CB-9CA5-4292-B3F8-B3A86E4ADD70",
"versionEndExcluding": "8.4.2",
"versionStartIncluding": "8.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled \u201cAllow public signup\u201d."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos mediante variables de entorno en Bitbucket Server y Data Center. Un atacante con permiso para controlar su nombre de usuario puede aprovechar este problema para ejecutar c\u00f3digo arbitrario en el sistema. Esta vulnerabilidad puede no autenticarse si la instancia de Bitbucket Server y Data Center ha habilitado \"Allow public signup\"."
}
],
"id": "CVE-2022-43781",
"lastModified": "2024-11-21T07:27:14.543",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-17T00:15:18.483",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Mitigation",
"Release Notes",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/Y4hXRg"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13522"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Release Notes",
"Vendor Advisory"
],
"url": "https://confluence.atlassian.com/x/Y4hXRg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13522"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-36804
Vulnerability from fkie_nvd - Published: 2022-08-25 06:15 - Updated: 2025-10-24 13:37
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
References
{
"cisaActionDue": "2022-10-21",
"cisaExploitAdd": "2022-09-30",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Atlassian Bitbucket Server and Data Center Command Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54F27ACB-8092-49D9-B3E6-84202A474E07",
"versionEndExcluding": "7.6.17",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4841A291-6ED4-46BF-A20D-9B6C580D0848",
"versionEndExcluding": "7.17.10",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DA55F12-AE5A-4EB0-8A9D-F8C931470686",
"versionEndExcluding": "7.21.4",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF552168-931B-4D5C-8D61-371F00517217",
"versionEndExcluding": "8.0.3",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86586513-D050-4522-91EE-E10A2C0D36DA",
"versionEndExcluding": "8.1.3",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1D177223-A7CD-48D7-9AE6-709D769C8466",
"versionEndExcluding": "8.2.2",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "067642A5-9F53-4ADC-956B-B2576853A3FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew."
},
{
"lang": "es",
"value": "M\u00faltiples endpoints de la API en Atlassian Bitbucket Server y Data Center 7.0.0 versiones anteriores a 7.6.17, desde versiones 7.7.0 anteriores a 7.17.10, desde versiones 7.18.0 anteriores a 7.21.4, desde versiones 8.0.0 anteriores a 8.0.3, desde versiones 8.1. 0 versiones anteriores a 8.1.3, y desde versiones 8.2.0 anteriores a 8.2.2, y desde versiones 8.3.0 anteriores a 8.3.1, permite a atacantes remotos con permisos de lectura en un repositorio p\u00fablico o privado de Bitbucket ejecutar c\u00f3digo arbitrario enviando una petici\u00f3n HTTP maliciosa. Esta vulnerabilidad fue reportada por medio de nuestro programa Bug Bounty por TheGrandPew."
}
],
"id": "CVE-2022-36804",
"lastModified": "2025-10-24T13:37:44.367",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-08-25T06:15:09.077",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13438"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13438"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
},
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
},
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-26136
Vulnerability from fkie_nvd - Published: 2022-07-20 18:15 - Updated: 2024-11-21 06:53
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "218C960A-04C6-4242-BEBA-C81CF5F1F722",
"versionEndExcluding": "7.2.10",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E360CDE0-FD1E-4337-8268-DB89CF605EE0",
"versionEndExcluding": "8.0.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0913EE0-2046-4E7E-966D-DC894E34D12B",
"versionEndExcluding": "8.1.8",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D182C1B1-A5FF-4777-9835-4E9114BB68DC",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCD53E4-3169-4E8A-88D1-38BE51D09DD3",
"versionEndExcluding": "7.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B878E40-95A7-40A7-9C52-6BC0C2FD3F54",
"versionEndExcluding": "7.17.8",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46305D5A-7F7B-4A04-9DAD-E582D1193A7E",
"versionEndExcluding": "7.19.5",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A96B135B-9272-457E-A557-6566554262D3",
"versionEndExcluding": "7.20.2",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62956861-BEDE-40C8-B628-C831087E7BDB",
"versionEndExcluding": "7.21.2",
"versionStartIncluding": "7.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7A85565F-3F80-4E00-A706-AB4B2EAA4AFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99E2E3C0-CDF0-4D79-80A6-85E71B947ED9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C543CA6-8E8A-476C-AB27-614DF4EC68A5",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45FD913B-45DE-4CA8-9733-D62F54B19E74",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12E753EB-0D31-448B-B8DE-0A95434CC97C",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE114494-74F0-454C-AAC4-8B8E5F1C67D0",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90BB3572-29ED-415F-AD34-00EB76271F9C",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EF756A-B4E9-4E5D-BE6F-02CE95F12C9C",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A56B6A10-E23F-49EF-8C07-1AEDFCAE2788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8BE634-1599-4790-9410-6CA43BC60C4D",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52E68DFD-48F5-4949-AFEA-3829CA5DFC04",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCDEC6C-4515-4CAA-9D82-7BF68A3AAE7E",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9948F94-DF67-4E3C-8CD4-417D57FBC60F",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30E63ECB-85A8-4D41-A9B5-9FFF18D9CDB1",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "694171BD-FAE2-472C-8183-04BCA2F7B9A7",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC5E81B-DA4B-45E7-9584-4B576E49FD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE028964-B3FC-4883-9967-68DE46EE7F6F",
"versionEndExcluding": "4.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57DC9E2A-4C89-420D-9330-F11E56BF2F83",
"versionEndExcluding": "4.4.2",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C50A718F-C67B-4462-BB7E-F80408DEF07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92329A2E-13E8-4818-85AB-3E7F479411EF",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DDE751-CA88-4CFB-9E60-4243851B4B53",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91B8507-A7A7-4B74-9999-F1DEA9F487A9",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963AE427-2897-42CB-AE11-654D700E690B",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CD8891-BB97-4AD3-BEE4-6CCA0D8A2D85",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E73A5202-6114-48E6-8F9B-C03B2E707055",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22AB11D-1D73-45DC-803C-146EFED18CDA",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2091E9-0B14-4786-852F-454C56D20839",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "1451C219-8AAA-4165-AE2C-033EF7B6F93A",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*",
"matchCriteriaId": "BD23F987-0F14-4938-BB51-4EE61C24EB62",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "39F77953-41D7-4398-9F07-2A057A993762",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "CADBE0E7-36D9-4F6F-BEE6-A1E0B9428C2A",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "DC0DB08B-2034-4691-A7B2-3E5F8B6318B1",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "97A17BE7-7CCC-46D8-A317-53E2B026DF6E",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en varios productos de Atlassian permite a un atacante remoto no autenticado omitir los filtros Servlet usados por aplicaciones de primera y tercera parte. El impacto depende de los filtros usados por cada aplicaci\u00f3n y de c\u00f3mo son usados los filtros. Esta vulnerabilidad puede resultar en una omisi\u00f3n de la autenticaci\u00f3n y un ataque de tipo cross-site scripting. Atlassian ha publicado actualizaciones que corrigen la causa principal de esta vulnerabilidad, pero no ha enumerado exhaustivamente todas las consecuencias potenciales de esta vulnerabilidad. Est\u00e1n afectadas las versiones de Atlassian Bamboo anteriores a 8.0.9, desde 8.1.0 hasta 8.1.8, y desde la 8.2.0 hasta 8.2.4. Las versiones de Atlassian Bitbucket est\u00e1n afectadas anteriores a 7.6.16, desde la 7.7.0 anteriores a 7.17.8, desde la 7.18.0 anteriores a 7.19.5, desde la 7.20.0 anteriores a 7.20.2, desde la 7.21.0 anteriores a 7.21.2, y las versiones 8.0.0 y 8.1.0. Est\u00e1n afectadas las versiones de Atlassian Confluence anteriores a 7.4.17, desde la 7.5.0 anteriores a 7.13.7, desde la 7.14.0 anteriores a 7.14.3, desde la 7.15.0 anteriores a 7.15.2, desde la 7.16.0 anteriores a 7.16.4, desde la 7.17.0 anteriores a 7.17.4 y la versi\u00f3n 7.21.0. Est\u00e1n afectadas las versiones de Atlassian Crowd anteriores a 4.3.8, desde la 4.4.0 hasta 4.4.2, y la versi\u00f3n 5.0.0. Est\u00e1n afectadas las versiones de Atlassian Fisheye y Crucible anteriores a 4.8.10. Est\u00e1n afectadas las versiones de Atlassian Jira anteriores a 8.13.22, desde la 8.14.0 hasta 8.20.10, y desde la 8.21.0 hasta 8.22.4. Las versiones de Atlassian Jira Service Management est\u00e1n afectadas anteriores a 4.13.22, desde la 4.14.0 anteriores a 4.20.10, y desde la 4.21.0 anteriores a 4.22.4"
}
],
"id": "CVE-2022-26136",
"lastModified": "2024-11-21T06:53:30.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-20T18:15:08.487",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-180"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-26137
Vulnerability from fkie_nvd - Published: 2022-07-20 18:15 - Updated: 2024-11-21 06:53
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "218C960A-04C6-4242-BEBA-C81CF5F1F722",
"versionEndExcluding": "7.2.10",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E360CDE0-FD1E-4337-8268-DB89CF605EE0",
"versionEndExcluding": "8.0.9",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0913EE0-2046-4E7E-966D-DC894E34D12B",
"versionEndExcluding": "8.1.8",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D182C1B1-A5FF-4777-9835-4E9114BB68DC",
"versionEndExcluding": "8.2.4",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCD53E4-3169-4E8A-88D1-38BE51D09DD3",
"versionEndExcluding": "7.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B878E40-95A7-40A7-9C52-6BC0C2FD3F54",
"versionEndExcluding": "7.17.8",
"versionStartIncluding": "7.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46305D5A-7F7B-4A04-9DAD-E582D1193A7E",
"versionEndExcluding": "7.19.5",
"versionStartIncluding": "7.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A96B135B-9272-457E-A557-6566554262D3",
"versionEndExcluding": "7.20.2",
"versionStartIncluding": "7.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62956861-BEDE-40C8-B628-C831087E7BDB",
"versionEndExcluding": "7.21.2",
"versionStartIncluding": "7.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7A85565F-3F80-4E00-A706-AB4B2EAA4AFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "99E2E3C0-CDF0-4D79-80A6-85E71B947ED9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C543CA6-8E8A-476C-AB27-614DF4EC68A5",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45FD913B-45DE-4CA8-9733-D62F54B19E74",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12E753EB-0D31-448B-B8DE-0A95434CC97C",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE114494-74F0-454C-AAC4-8B8E5F1C67D0",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90BB3572-29ED-415F-AD34-00EB76271F9C",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30EF756A-B4E9-4E5D-BE6F-02CE95F12C9C",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A56B6A10-E23F-49EF-8C07-1AEDFCAE2788",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8BE634-1599-4790-9410-6CA43BC60C4D",
"versionEndExcluding": "7.4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52E68DFD-48F5-4949-AFEA-3829CA5DFC04",
"versionEndExcluding": "7.13.7",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5DCDEC6C-4515-4CAA-9D82-7BF68A3AAE7E",
"versionEndExcluding": "7.14.3",
"versionStartIncluding": "7.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9948F94-DF67-4E3C-8CD4-417D57FBC60F",
"versionEndExcluding": "7.15.2",
"versionStartIncluding": "7.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30E63ECB-85A8-4D41-A9B5-9FFF18D9CDB1",
"versionEndExcluding": "7.16.4",
"versionStartIncluding": "7.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "694171BD-FAE2-472C-8183-04BCA2F7B9A7",
"versionEndExcluding": "7.17.4",
"versionStartIncluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0AC5E81B-DA4B-45E7-9584-4B576E49FD8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE028964-B3FC-4883-9967-68DE46EE7F6F",
"versionEndExcluding": "4.3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57DC9E2A-4C89-420D-9330-F11E56BF2F83",
"versionEndExcluding": "4.4.2",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C50A718F-C67B-4462-BB7E-F80408DEF07D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92329A2E-13E8-4818-85AB-3E7F479411EF",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30DDE751-CA88-4CFB-9E60-4243851B4B53",
"versionEndExcluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91B8507-A7A7-4B74-9999-F1DEA9F487A9",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963AE427-2897-42CB-AE11-654D700E690B",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CD8891-BB97-4AD3-BEE4-6CCA0D8A2D85",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E73A5202-6114-48E6-8F9B-C03B2E707055",
"versionEndExcluding": "8.13.22",
"versionStartIncluding": "8.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22AB11D-1D73-45DC-803C-146EFED18CDA",
"versionEndExcluding": "8.20.10",
"versionStartIncluding": "8.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2091E9-0B14-4786-852F-454C56D20839",
"versionEndExcluding": "8.22.4",
"versionStartIncluding": "8.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "1451C219-8AAA-4165-AE2C-033EF7B6F93A",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*",
"matchCriteriaId": "BD23F987-0F14-4938-BB51-4EE61C24EB62",
"versionEndExcluding": "4.13.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "39F77953-41D7-4398-9F07-2A057A993762",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "CADBE0E7-36D9-4F6F-BEE6-A1E0B9428C2A",
"versionEndExcluding": "4.20.10",
"versionStartIncluding": "4.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
"matchCriteriaId": "DC0DB08B-2034-4691-A7B2-3E5F8B6318B1",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
"matchCriteriaId": "97A17BE7-7CCC-46D8-A317-53E2B026DF6E",
"versionEndExcluding": "4.22.4",
"versionStartIncluding": "4.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad en diversos productos de Atlassian permite a un atacante remoto no autenticado causar que sean invocados Filtros Servlet adicionales cuando la aplicaci\u00f3n procesa peticiones o respuestas. Atlassian ha confirmado y corregido el \u00fanico problema de seguridad conocido asociado a esta vulnerabilidad: Omisi\u00f3n de recursos de origen cruzado (CORS). El env\u00edo de una petici\u00f3n HTTP especialmente dise\u00f1ada puede invocar el filtro Servlet usado para responder a las peticiones CORS, resultando en una omisi\u00f3n de CORS. Un atacante que pueda enga\u00f1ar a un usuario para que solicite una URL maliciosa puede acceder a la aplicaci\u00f3n vulnerable con los permisos de la v\u00edctima. Est\u00e1n afectadas las versiones de Atlassian Bamboo anteriores a 8.0.9, desde la 8.1.0 anteriores a 8.1.8 y de la 8.2.0 anteriores a 8.2.4. Las versiones de Atlassian Bitbucket est\u00e1n afectadas anteriores a 7.6.16, desde la 7.7.0 anteriores a 7.17.8, desde la 7.18.0 anteriores a 7.19.5, desde la 7.20.0 anteriores a 7.20.2, desde la 7.21.0 anteriores a 7.21.2, y las versiones 8.0.0 y 8.1.0. Est\u00e1n afectadas las versiones de Atlassian Confluence anteriores a 7.4.17, desde la 7.5.0 anteriores a 7.13.7, desde la 7.14.0 anteriores a 7.14.3, desde la 7.15.0 anteriores a 7.15.2, desde la 7.16.0 anteriores a 7.16.4, desde la 7.17.0 anteriores a 7.17.4 y la versi\u00f3n 7.21.0. Est\u00e1n afectadas las versiones de Atlassian Crowd anteriores a 4.3.8, desde la 4.4.0 hasta 4.4.2, y la versi\u00f3n 5.0.0. Est\u00e1n afectadas las versiones de Atlassian Fisheye y Crucible anteriores a 4.8.10. Est\u00e1n afectadas las versiones de Atlassian Jira anteriores a 8.13.22, desde la 8.14.0 hasta 8.20.10, y desde la 8.21.0 hasta 8.22.4. Las versiones de Atlassian Jira Service Management est\u00e1n afectadas anteriores a 4.13.22, desde la 4.14.0 anteriores a 4.20.10, y desde la 4.21.0 anteriores a 4.22.4"
}
],
"id": "CVE-2022-26137",
"lastModified": "2024-11-21T06:53:30.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-07-20T18:15:08.557",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-180"
}
],
"source": "security@atlassian.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-36233
Vulnerability from fkie_nvd - Published: 2021-02-18 20:15 - Updated: 2024-11-21 05:29
Severity ?
Summary
The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-12753 | Issue Tracking, Vendor Advisory | |
| security@atlassian.com | https://www.kb.cert.org/vuls/id/240785 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-12753 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.kb.cert.org/vuls/id/240785 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8494F78A-D66A-406E-B395-9DB33C290A84",
"versionEndExcluding": "6.10.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E4BCCD6-7814-47FE-8294-AFA009FE2031",
"versionEndExcluding": "7.6.4",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "742F96A9-980E-463E-AB11-4347389DEC13",
"versionEndExcluding": "7.10.1",
"versionStartIncluding": "7.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory."
},
{
"lang": "es",
"value": "El Microsoft Windows Installer para Atlassian Bitbucket Server y Data Center versiones anteriores a 6.10.9, versiones 7.x anteriores a 7.6.4 y desde versi\u00f3n 7.7.0 versiones anteriores a 7.10.1, permite a los atacantes locales escalar privilegios debido a permisos d\u00e9biles en el directorio de instalaci\u00f3n"
}
],
"id": "CVE-2020-36233",
"lastModified": "2024-11-21T05:29:06.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-18T20:15:12.587",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"source": "security@atlassian.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/240785"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/240785"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-14171
Vulnerability from fkie_nvd - Published: 2020-07-09 18:15 - Updated: 2024-11-21 05:02
Severity ?
Summary
Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-12434 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-12434 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "928164DF-4BFA-4103-92EB-E4EEC630485C",
"versionEndExcluding": "7.2.4",
"versionStartIncluding": "4.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack."
},
{
"lang": "es",
"value": "Atlassian Bitbucket Server desde la versi\u00f3n 4.9.0 anterior a la versi\u00f3n 7.2.4, permite a atacantes remotos interceptar peticiones de importaci\u00f3n de repositorios sin cifrar mediante un ataque Man-in-the-Middle (MITM)"
}
],
"id": "CVE-2020-14171",
"lastModified": "2024-11-21T05:02:47.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-09T18:15:10.850",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12434"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-14170
Vulnerability from fkie_nvd - Published: 2020-07-09 18:15 - Updated: 2024-11-21 05:02
Severity ?
Summary
Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-12433 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-12433 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99564E41-2060-461B-93B2-E51AFBE52970",
"versionEndExcluding": "7.3.1",
"versionStartIncluding": "5.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability."
},
{
"lang": "es",
"value": "Webhooks en Atlassian Bitbucket Server desde la versi\u00f3n 5.4.0 anterior a la versi\u00f3n 7.3.1, permiten a atacantes remotos acceder al contenido de los recursos de la red interna mediante una vulnerabilidad de tipo Server-Side Request Forgery (SSRF)"
}
],
"id": "CVE-2020-14170",
"lastModified": "2024-11-21T05:02:47.547",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-09T18:15:10.770",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15010
Vulnerability from fkie_nvd - Published: 2020-01-15 21:15 - Updated: 2024-11-21 04:27
Severity ?
Summary
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-12098 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-12098 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3421F4B2-A825-4715-A7F3-CB2EA2B8196D",
"versionEndExcluding": "5.6.11",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48C8C6EE-1C20-4A8D-BEDA-166FBBEFCF2F",
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFF37587-82F5-4EE0-A937-28C38801D764",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42E0BC42-C30E-4A8E-A8EE-FBDE1DE54320",
"versionEndExcluding": "6.2.7",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9684FBA-86AA-41DC-BE24-E569528D73F5",
"versionEndExcluding": "6.3.6",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9DB2AEC-BCD8-4F4C-8B46-DA7C1106CC19",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EFDFE4F-C06F-4E7D-B4FB-9AF75ADF9B0D",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24C8E399-F9B1-4C2F-8950-743D5648FCB8",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF8E5098-21B9-416A-A83B-9F9141DEEC7C",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "866E87CD-8AD5-4241-82F9-80720F1E794E",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "6.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2873B168-8A85-4AB0-BD92-95423928F20D",
"versionEndExcluding": "6.9.1",
"versionStartIncluding": "6.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
},
{
"lang": "es",
"value": "Bitbucket Server y Bitbucket Data Center versiones comenzando desde 3.0.0 anteriores a la versi\u00f3n 5.16.11, desde versi\u00f3n 6.0.0 anteriores a la versi\u00f3n 6.0.11, desde versi\u00f3n 6.1.0 anteriores a la versi\u00f3n 6.1.9, desde versi\u00f3n 6.2.0 anteriores a la versi\u00f3n 6.2.7, desde versi\u00f3n 6.3.0 anteriores a la versi\u00f3n 6.3.6, desde versi\u00f3n 6.4.0 anteriores a la versi\u00f3n 6.4.4, desde versi\u00f3n 6.5.0 anteriores a la versi\u00f3n 6.5.3, desde versi\u00f3n 6.6.0 anteriores a la versi\u00f3n 6.6.3, desde versi\u00f3n 6.7.0 anteriores a la versi\u00f3n 6.7.3, desde versi\u00f3n 6.8.0 anteriores a la versi\u00f3n 6.8.2 y desde versi\u00f3n 6.9.0 anteriores a la versi\u00f3n 6.9.1, ten\u00edan una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota por medio de ciertos campos de entrada de usuario. Un atacante remoto con permisos de nivel de usuario puede explotar esta vulnerabilidad para ejecutar comandos arbitrarios en los sistemas de la v\u00edctima. Utilizando una carga \u00fatil especialmente dise\u00f1ada como entrada de usuario, el atacante puede ejecutar comandos arbitrarios sobre las instancias Bitbucket Server o Bitbucket Data de las v\u00edctimas."
}
],
"id": "CVE-2019-15010",
"lastModified": "2024-11-21T04:27:52.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T21:15:12.313",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15012
Vulnerability from fkie_nvd - Published: 2020-01-15 21:15 - Updated: 2024-11-21 04:27
Severity ?
Summary
Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-12100 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-12100 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77D2D5CB-064D-44C7-9C80-46BDD4A833B3",
"versionEndExcluding": "5.6.11",
"versionStartIncluding": "4.13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48C8C6EE-1C20-4A8D-BEDA-166FBBEFCF2F",
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFF37587-82F5-4EE0-A937-28C38801D764",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42E0BC42-C30E-4A8E-A8EE-FBDE1DE54320",
"versionEndExcluding": "6.2.7",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9684FBA-86AA-41DC-BE24-E569528D73F5",
"versionEndExcluding": "6.3.6",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9DB2AEC-BCD8-4F4C-8B46-DA7C1106CC19",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EFDFE4F-C06F-4E7D-B4FB-9AF75ADF9B0D",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24C8E399-F9B1-4C2F-8950-743D5648FCB8",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF8E5098-21B9-416A-A83B-9F9141DEEC7C",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "866E87CD-8AD5-4241-82F9-80720F1E794E",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "6.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2873B168-8A85-4AB0-BD92-95423928F20D",
"versionEndExcluding": "6.9.1",
"versionStartIncluding": "6.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance."
},
{
"lang": "es",
"value": "Bitbucket Server y Bitbucket Data Center desde la versi\u00f3n 4.13. anteriores a la versi\u00f3n 5.16.11, desde versi\u00f3n 6.0.0 anteriores a la versi\u00f3n 6.0.11, desde versi\u00f3n 6.1.0 anteriores a la versi\u00f3n 6.1.9, desde versi\u00f3n 6.2.0 anteriores a la versi\u00f3n 6.2.7, desde versi\u00f3n 6.3.0 anteriores a la versi\u00f3n 6.3.6, desde versi\u00f3n 6.4.0 anteriores a la versi\u00f3n 6.4.4, desde versi\u00f3n 6.5.0 anteriores a la versi\u00f3n 6.5.3, desde versi\u00f3n 6.6.0 anteriores a 6.6.3, desde versi\u00f3n 6.7.0 anteriores a 6.7.3, desde versi\u00f3n 6.8.0 anteriores a la versi\u00f3n 6.8.2, desde versi\u00f3n 6.9.0 anteriores a la versi\u00f3n 6.9.1, tiene una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota por medio de la petici\u00f3n edit-file. Un atacante remoto con permiso de escritura en un repositorio puede escribir en cualquier archivo arbitrario en las instancias de Bitbucket Server o Bitbucket Data Center de las v\u00edctimas utilizando el endpoint edit-file, si el usuario tiene Bitbucket Server o Bitbucket Data Center en ejecuci\u00f3n, y posee permiso para escribir el archivo en ese destino. En algunos casos, esto puede resultar en la ejecuci\u00f3n de c\u00f3digo arbitrario para las instancias Bitbucket Server o Bitbucket Data Center de las v\u00edctimas."
}
],
"id": "CVE-2019-15012",
"lastModified": "2024-11-21T04:27:52.303",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T21:15:12.390",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-20097
Vulnerability from fkie_nvd - Published: 2020-01-15 21:15 - Updated: 2024-11-21 04:38
Severity ?
Summary
Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content.
References
| URL | Tags | ||
|---|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/BSERV-12099 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.atlassian.com/browse/BSERV-12099 | Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46BCBD19-3B62-4A81-9312-68E46D4A39D8",
"versionEndExcluding": "5.6.11",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48C8C6EE-1C20-4A8D-BEDA-166FBBEFCF2F",
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFF37587-82F5-4EE0-A937-28C38801D764",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42E0BC42-C30E-4A8E-A8EE-FBDE1DE54320",
"versionEndExcluding": "6.2.7",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9684FBA-86AA-41DC-BE24-E569528D73F5",
"versionEndExcluding": "6.3.6",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D9DB2AEC-BCD8-4F4C-8B46-DA7C1106CC19",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EFDFE4F-C06F-4E7D-B4FB-9AF75ADF9B0D",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24C8E399-F9B1-4C2F-8950-743D5648FCB8",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF8E5098-21B9-416A-A83B-9F9141DEEC7C",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "866E87CD-8AD5-4241-82F9-80720F1E794E",
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "6.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2873B168-8A85-4AB0-BD92-95423928F20D",
"versionEndExcluding": "6.9.1",
"versionStartIncluding": "6.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content."
},
{
"lang": "es",
"value": "Bitbucket Server y Bitbucket Data Center versiones comenzando desde 1.0.0 anteriores a la versi\u00f3n 5.16.11, desde versi\u00f3n 6.0.0 anteriores a la versi\u00f3n 6.0.11, desde versi\u00f3n 6.1.0 anteriores a la versi\u00f3n 6.1.9, desde versi\u00f3n 6.2.0 anteriores a la versi\u00f3n 6.2.7, desde versi\u00f3n 6.3 .0 anteriores a la versi\u00f3n 6.3.6, desde versi\u00f3n 6.4.0 anteriores a la versi\u00f3n 6.4.4, desde versi\u00f3n 6.5.0 anteriores a 6.5.3, desde versi\u00f3n 6.6.0 anteriores a 6.6.3, desde versi\u00f3n 6.7.0 anteriores a la versi\u00f3n 6.7.3, desde versi\u00f3n 6.8 .0 anteriores a la versi\u00f3n 6.8.2, desde versi\u00f3n 6.9.0 anteriores a la versi\u00f3n 6.9.1, tiene una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota por medio del enlace post-receive. Un atacante remoto con permiso para clonar y colocar archivos a un repositorio en la instancia de Bitbucket Server o Bitbucket Data Center de la v\u00edctima, puede explotar esta vulnerabilidad para ejecutar comandos arbitrarios en los sistemas Bitbucket Server o Bitbucket Data Center, utilizando un archivo con contenido especialmente dise\u00f1ado."
}
],
"id": "CVE-2019-20097",
"lastModified": "2024-11-21T04:38:03.433",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T21:15:12.483",
"references": [
{
"source": "security@atlassian.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12099"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
],
"sourceIdentifier": "security@atlassian.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-43781 (GCVE-0-2022-43781)
Vulnerability from cvelistv5 – Published: 2022-11-17 00:00 – Updated: 2024-10-02 14:56
VLAI?
Summary
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Severity ?
9.8 (Critical)
CWE
- RCE (Remote Code Execution)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Unaffected:
before 7.0
Affected: before 7.17.12 Affected: before 7.21.6 Affected: before 7.6.19 Affected: before 8.0.5 Affected: before 8.1.5 Affected: before 8.2.4 Affected: before 8.3.3 Affected: before 8.4.2 Affected: before 8.5.0 |
|||||||
|
|||||||||
Credits
https://github.com/Ry0taK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/x/Y4hXRg"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13522"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.19",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.17.12",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.21.6",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "7.22.0",
"versionType": "custom"
},
{
"lessThan": "8.1.5",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.3.3",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:27:57.305026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T14:56:09.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "before 7.0"
},
{
"status": "affected",
"version": "before 7.17.12"
},
{
"status": "affected",
"version": "before 7.21.6"
},
{
"status": "affected",
"version": "before 7.6.19"
},
{
"status": "affected",
"version": "before 8.0.5"
},
{
"status": "affected",
"version": "before 8.1.5"
},
{
"status": "affected",
"version": "before 8.2.4"
},
{
"status": "affected",
"version": "before 8.3.3"
},
{
"status": "affected",
"version": "before 8.4.2"
},
{
"status": "affected",
"version": "before 8.5.0"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "before 7.0"
},
{
"status": "affected",
"version": "before 7.17.12"
},
{
"status": "affected",
"version": "before 7.21.6"
},
{
"status": "affected",
"version": "before 7.6.19"
},
{
"status": "affected",
"version": "before 8.0.5"
},
{
"status": "affected",
"version": "before 8.1.5"
},
{
"status": "affected",
"version": "before 8.2.4"
},
{
"status": "affected",
"version": "before 8.3.3"
},
{
"status": "affected",
"version": "before 8.4.2"
},
{
"status": "affected",
"version": "before 8.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "https://github.com/Ry0taK"
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled \u201cAllow public signup\u201d."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-17T00:00:01.210Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/x/Y4hXRg"
},
{
"url": "https://jira.atlassian.com/browse/BSERV-13522"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-43781",
"datePublished": "2022-11-17T00:00:01.210Z",
"dateReserved": "2022-10-26T14:49:11.114Z",
"dateUpdated": "2024-10-02T14:56:09.693Z",
"requesterUserId": "4ceb4895-2afc-4c29-bf72-c2e04b367c52",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36804 (GCVE-0-2022-36804)
Vulnerability from cvelistv5 – Published: 2022-08-25 05:40 – Updated: 2025-10-21 23:15
VLAI?
Summary
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Severity ?
8.8 (High)
CWE
- Remote Code Execution
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
7.0.0 , < unspecified
(custom)
Affected: unspecified , < 7.6.17 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.17.10 (custom) Affected: 7.18.0 , < unspecified (custom) Affected: unspecified , < 7.21.4 (custom) Affected: 8.0.0 , < unspecified (custom) Affected: unspecified , < 8.0.3 (custom) Affected: 8.1.0 , < unspecified (custom) Affected: unspecified , < 8.1.3 (custom) Affected: 8.2.0 , < unspecified (custom) Affected: unspecified , < 8.2.2 (custom) Affected: 8.3.0 , < unspecified (custom) Affected: unspecified , < 8.3.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:28.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13438"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36804",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T16:19:10.861167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-09-30",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:36.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-09-30T00:00:00+00:00",
"value": "CVE-2022-36804 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.17.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.21.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.17.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.21.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T00:00:00.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/BSERV-13438"
},
{
"url": "http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html"
},
{
"url": "http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-36804",
"datePublished": "2022-08-25T05:40:08.899Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:36.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26137 (GCVE-0-2022-26137)
Vulnerability from cvelistv5 – Published: 2022-07-20 17:25 – Updated: 2024-10-03 17:10
VLAI?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Severity ?
8.8 (High)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bamboo Server |
Affected:
unspecified , < 8.0.9
(custom)
Affected: 8.1.0 , < unspecified (custom) Affected: unspecified , < 8.1.8 (custom) Affected: 8.2.0 , < unspecified (custom) Affected: unspecified , < 8.2.4 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.1",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:48:52.174175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:10:16.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:23",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26137",
"datePublished": "2022-07-20T17:25:23.603830Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T17:10:16.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26136 (GCVE-0-2022-26136)
Vulnerability from cvelistv5 – Published: 2022-07-20 17:25 – Updated: 2024-10-03 16:43
VLAI?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Severity ?
9.8 (Critical)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bamboo Server |
Affected:
unspecified , < 8.0.9
(custom)
Affected: 8.1.0 , < unspecified (custom) Affected: unspecified , < 8.1.8 (custom) Affected: 8.2.0 , < unspecified (custom) Affected: unspecified , < 8.2.4 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:26:49.090400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:43:16.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26136",
"datePublished": "2022-07-20T17:25:18.803466Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T16:43:16.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36233 (GCVE-0-2020-36233)
Vulnerability from cvelistv5 – Published: 2021-02-18 15:16 – Updated: 2024-09-16 19:30
VLAI?
Summary
The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
Severity ?
No CVSS data available.
CWE
- Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
unspecified , < 6.10.9
(custom)
Affected: 7.0.0 , < unspecified (custom) Affected: unspecified , < 7.6.4 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.10.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"name": "VU#240785",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/240785"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-18T19:06:08",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"name": "VU#240785",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/240785"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-02-16T00:00:00",
"ID": "CVE-2020-36233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12753",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"name": "VU#240785",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/240785"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36233",
"datePublished": "2021-02-18T15:16:22.101146Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-16T19:30:12.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14170 (GCVE-0-2020-14170)
Vulnerability from cvelistv5 – Published: 2020-07-09 17:20 – Updated: 2024-09-17 04:09
VLAI?
Summary
Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.
Severity ?
No CVSS data available.
CWE
- Server Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
5.4.0 , < unspecified
(custom)
Affected: unspecified , < 7.3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "7.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T17:20:48",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-09T00:00:00",
"ID": "CVE-2020-14170",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "5.4.0"
},
{
"version_affected": "\u003c",
"version_value": "7.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12433",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14170",
"datePublished": "2020-07-09T17:20:48.079852Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T04:09:37.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14171 (GCVE-0-2020-14171)
Vulnerability from cvelistv5 – Published: 2020-07-09 17:17 – Updated: 2024-09-17 02:01
VLAI?
Summary
Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
Severity ?
No CVSS data available.
CWE
- Man-in-the-Middle (MITM)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
4.9.0 , < unspecified
(custom)
Affected: unspecified , < 7.2.4 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Man-in-the-Middle (MITM)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T17:17:29",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-09T00:00:00",
"ID": "CVE-2020-14171",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.2.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Man-in-the-Middle (MITM)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12434",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14171",
"datePublished": "2020-07-09T17:17:29.210940Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T02:01:36.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15012 (GCVE-0-2019-15012)
Vulnerability from cvelistv5 – Published: 2020-01-15 20:46 – Updated: 2024-09-17 04:24
VLAI?
Summary
Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.
Severity ?
No CVSS data available.
CWE
- Path traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
4.13 , < unspecified
(custom)
Affected: unspecified , < 5.16.11 (custom) Affected: 6.0 , < unspecified (custom) Affected: unspecified , < 6.0.11 (custom) Affected: 6.1.0 , < unspecified (custom) Affected: unspecified , < 6.1.9 (custom) Affected: 6.2.0 , < unspecified (custom) Affected: unspecified , < 6.2.7 (custom) Affected: 6.3.0 , < unspecified (custom) Affected: unspecified , < 6.3.6 (custom) Affected: 6.4.0 , < unspecified (custom) Affected: unspecified , < 6.4.4 (custom) Affected: 6.5.0 , < unspecified (custom) Affected: unspecified , < 6.5.3 (custom) Affected: 6.6.0 , < unspecified (custom) Affected: unspecified , < 6.6.3 (custom) Affected: 6.7.0 , < unspecified (custom) Affected: unspecified , < 6.7.3 (custom) Affected: 6.8.0 , < unspecified (custom) Affected: unspecified , < 6.8.2 (custom) Affected: 6.9.0 , < unspecified (custom) Affected: unspecified , < 6.9.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.13",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.13",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T20:46:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-15012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.13"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.13"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12100",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15012",
"datePublished": "2020-01-15T20:46:56.181070Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-17T04:24:12.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15010 (GCVE-0-2019-15010)
Vulnerability from cvelistv5 – Published: 2020-01-15 20:46 – Updated: 2024-09-16 22:56
VLAI?
Summary
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.
Severity ?
No CVSS data available.
CWE
- Expression Language Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
3.0 , < unspecified
(custom)
Affected: unspecified , < 5.16.11 (custom) Affected: 6.0 , < unspecified (custom) Affected: unspecified , < 6.0.11 (custom) Affected: 6.1.0 , < unspecified (custom) Affected: unspecified , < 6.1.9 (custom) Affected: 6.2.0 , < unspecified (custom) Affected: unspecified , < 6.2.7 (custom) Affected: 6.3.0 , < unspecified (custom) Affected: unspecified , < 6.3.6 (custom) Affected: 6.4.0 , < unspecified (custom) Affected: unspecified , < 6.4.4 (custom) Affected: 6.5.0 , < unspecified (custom) Affected: unspecified , < 6.5.3 (custom) Affected: 6.6.0 , < unspecified (custom) Affected: unspecified , < 6.6.3 (custom) Affected: 6.7.0 , < unspecified (custom) Affected: unspecified , < 6.7.3 (custom) Affected: 6.8.0 , < unspecified (custom) Affected: unspecified , < 6.8.2 (custom) Affected: 6.9.0 , < unspecified (custom) Affected: unspecified , < 6.9.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Expression Language Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T20:46:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-15010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Expression Language Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12098",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15010",
"datePublished": "2020-01-15T20:46:56.108707Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T22:56:09.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20097 (GCVE-0-2019-20097)
Vulnerability from cvelistv5 – Published: 2020-01-15 20:46 – Updated: 2024-09-16 18:48
VLAI?
Summary
Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content.
Severity ?
No CVSS data available.
CWE
- Argument Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
1.0 , < unspecified
(custom)
Affected: unspecified , < 5.16.11 (custom) Affected: 6.0 , < unspecified (custom) Affected: unspecified , < 6.0.11 (custom) Affected: 6.1.0 , < unspecified (custom) Affected: unspecified , < 6.1.9 (custom) Affected: 6.2.0 , < unspecified (custom) Affected: unspecified , < 6.2.7 (custom) Affected: 6.3.0 , < unspecified (custom) Affected: unspecified , < 6.3.6 (custom) Affected: 6.4.0 , < unspecified (custom) Affected: unspecified , < 6.4.4 (custom) Affected: 6.5.0 , < unspecified (custom) Affected: unspecified , < 6.5.3 (custom) Affected: 6.6.0 , < unspecified (custom) Affected: unspecified , < 6.6.3 (custom) Affected: 6.7.0 , < unspecified (custom) Affected: unspecified , < 6.7.3 (custom) Affected: 6.8.0 , < unspecified (custom) Affected: unspecified , < 6.8.2 (custom) Affected: 6.9.0 , < unspecified (custom) Affected: unspecified , < 6.9.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Argument Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T20:46:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-20097",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Argument Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12099",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20097",
"datePublished": "2020-01-15T20:46:56.225730Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T18:48:48.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43781 (GCVE-0-2022-43781)
Vulnerability from nvd – Published: 2022-11-17 00:00 – Updated: 2024-10-02 14:56
VLAI?
Summary
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Severity ?
9.8 (Critical)
CWE
- RCE (Remote Code Execution)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Unaffected:
before 7.0
Affected: before 7.17.12 Affected: before 7.21.6 Affected: before 7.6.19 Affected: before 8.0.5 Affected: before 8.1.5 Affected: before 8.2.4 Affected: before 8.3.3 Affected: before 8.4.2 Affected: before 8.5.0 |
|||||||
|
|||||||||
Credits
https://github.com/Ry0taK
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/x/Y4hXRg"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13522"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.19",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.17.12",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.21.6",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "7.22.0",
"versionType": "custom"
},
{
"lessThan": "8.1.5",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.3.3",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:27:57.305026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T14:56:09.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "before 7.0"
},
{
"status": "affected",
"version": "before 7.17.12"
},
{
"status": "affected",
"version": "before 7.21.6"
},
{
"status": "affected",
"version": "before 7.6.19"
},
{
"status": "affected",
"version": "before 8.0.5"
},
{
"status": "affected",
"version": "before 8.1.5"
},
{
"status": "affected",
"version": "before 8.2.4"
},
{
"status": "affected",
"version": "before 8.3.3"
},
{
"status": "affected",
"version": "before 8.4.2"
},
{
"status": "affected",
"version": "before 8.5.0"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "before 7.0"
},
{
"status": "affected",
"version": "before 7.17.12"
},
{
"status": "affected",
"version": "before 7.21.6"
},
{
"status": "affected",
"version": "before 7.6.19"
},
{
"status": "affected",
"version": "before 8.0.5"
},
{
"status": "affected",
"version": "before 8.1.5"
},
{
"status": "affected",
"version": "before 8.2.4"
},
{
"status": "affected",
"version": "before 8.3.3"
},
{
"status": "affected",
"version": "before 8.4.2"
},
{
"status": "affected",
"version": "before 8.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "https://github.com/Ry0taK"
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled \u201cAllow public signup\u201d."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-17T00:00:01.210Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/x/Y4hXRg"
},
{
"url": "https://jira.atlassian.com/browse/BSERV-13522"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-43781",
"datePublished": "2022-11-17T00:00:01.210Z",
"dateReserved": "2022-10-26T14:49:11.114Z",
"dateUpdated": "2024-10-02T14:56:09.693Z",
"requesterUserId": "4ceb4895-2afc-4c29-bf72-c2e04b367c52",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36804 (GCVE-0-2022-36804)
Vulnerability from nvd – Published: 2022-08-25 05:40 – Updated: 2025-10-21 23:15
VLAI?
Summary
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Severity ?
8.8 (High)
CWE
- Remote Code Execution
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
7.0.0 , < unspecified
(custom)
Affected: unspecified , < 7.6.17 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.17.10 (custom) Affected: 7.18.0 , < unspecified (custom) Affected: unspecified , < 7.21.4 (custom) Affected: 8.0.0 , < unspecified (custom) Affected: unspecified , < 8.0.3 (custom) Affected: 8.1.0 , < unspecified (custom) Affected: unspecified , < 8.1.3 (custom) Affected: 8.2.0 , < unspecified (custom) Affected: unspecified , < 8.2.2 (custom) Affected: 8.3.0 , < unspecified (custom) Affected: unspecified , < 8.3.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:28.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13438"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36804",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T16:19:10.861167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-09-30",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:36.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-09-30T00:00:00+00:00",
"value": "CVE-2022-36804 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.17.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.21.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.17.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.21.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.3.0",
"versionType": "custom"
},
{
"lessThan": "8.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-24T00:00:00.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/BSERV-13438"
},
{
"url": "http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html"
},
{
"url": "http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-36804",
"datePublished": "2022-08-25T05:40:08.899Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:36.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26137 (GCVE-0-2022-26137)
Vulnerability from nvd – Published: 2022-07-20 17:25 – Updated: 2024-10-03 17:10
VLAI?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Severity ?
8.8 (High)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bamboo Server |
Affected:
unspecified , < 8.0.9
(custom)
Affected: 8.1.0 , < unspecified (custom) Affected: unspecified , < 8.1.8 (custom) Affected: 8.2.0 , < unspecified (custom) Affected: unspecified , < 8.2.4 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.1",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:48:52.174175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:10:16.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:23",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim\u2019s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26137",
"datePublished": "2022-07-20T17:25:23.603830Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T17:10:16.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26136 (GCVE-0-2022-26136)
Vulnerability from nvd – Published: 2022-07-20 17:25 – Updated: 2024-10-03 16:43
VLAI?
Summary
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Severity ?
9.8 (Critical)
CWE
- CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bamboo Server |
Affected:
unspecified , < 8.0.9
(custom)
Affected: 8.1.0 , < unspecified (custom) Affected: unspecified , < 8.1.8 (custom) Affected: 8.2.0 , < unspecified (custom) Affected: unspecified , < 8.2.4 (custom) |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bamboo",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.2.10",
"status": "affected",
"version": "7.2.0",
"versionType": "custom"
},
{
"lessThan": "8.0.9",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:atlassian:bitbucket:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "confluence_server",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crowd:5.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crowd",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crucible",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fisheye",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "8.13.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_desk:-:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_desk",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_service_management",
"vendor": "atlassian",
"versions": [
{
"lessThan": "4.20.10",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:26:49.090400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:43:16.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bamboo Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bamboo Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.0.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
},
{
"lessThan": "8.1.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.16",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.17.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.20.0",
"versionType": "custom"
},
{
"lessThan": "7.20.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.21.0",
"versionType": "custom"
},
{
"lessThan": "7.21.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "8.0.0"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"product": "Confluence Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Confluence Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.4.17",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.5.0",
"versionType": "custom"
},
{
"lessThan": "7.13.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.14.0",
"versionType": "custom"
},
{
"lessThan": "7.14.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.15.0",
"versionType": "custom"
},
{
"lessThan": "7.15.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.16.0",
"versionType": "custom"
},
{
"lessThan": "7.16.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.17.0",
"versionType": "custom"
},
{
"lessThan": "7.17.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.18.0"
}
]
},
{
"product": "Crowd Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crowd Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "5.0.0"
}
]
},
{
"product": "Crucible",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Fisheye",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.8.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Core Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Software Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.21.0",
"versionType": "custom"
},
{
"lessThan": "8.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Service Management Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "4.13.22",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.14.0",
"versionType": "custom"
},
{
"lessThan": "4.20.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.21.0",
"versionType": "custom"
},
{
"lessThan": "4.22.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-180",
"description": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180).",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-20T17:25:18",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-07-20T00:00:00",
"ID": "CVE-2022-26136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bamboo Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bamboo Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.0.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.1.0"
},
{
"version_affected": "\u003c",
"version_value": "8.1.8"
},
{
"version_affected": "\u003e=",
"version_value": "8.2.0"
},
{
"version_affected": "\u003c",
"version_value": "8.2.4"
}
]
}
},
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.16"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.8"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.20.0"
},
{
"version_affected": "\u003c",
"version_value": "7.20.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.21.0"
},
{
"version_affected": "\u003c",
"version_value": "7.21.2"
},
{
"version_affected": "=",
"version_value": "8.0.0"
},
{
"version_affected": "=",
"version_value": "8.1.0"
}
]
}
},
{
"product_name": "Confluence Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Confluence Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.4.17"
},
{
"version_affected": "\u003e=",
"version_value": "7.5.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.7"
},
{
"version_affected": "\u003e=",
"version_value": "7.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.14.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.15.0"
},
{
"version_affected": "\u003c",
"version_value": "7.15.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.16.0"
},
{
"version_affected": "\u003c",
"version_value": "7.16.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.17.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.4"
},
{
"version_affected": "=",
"version_value": "7.18.0"
}
]
}
},
{
"product_name": "Crowd Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crowd Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.8"
},
{
"version_affected": "\u003e=",
"version_value": "4.4.0"
},
{
"version_affected": "\u003c",
"version_value": "4.4.2"
},
{
"version_affected": "=",
"version_value": "5.0.0"
}
]
}
},
{
"product_name": "Crucible",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Fisheye",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.8.10"
}
]
}
},
{
"product_name": "Jira Core Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Software Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "8.21.0"
},
{
"version_affected": "\u003c",
"version_value": "8.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
},
{
"product_name": "Jira Service Management Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.13.22"
},
{
"version_affected": "\u003e=",
"version_value": "4.14.0"
},
{
"version_affected": "\u003c",
"version_value": "4.20.10"
},
{
"version_affected": "\u003e=",
"version_value": "4.21.0"
},
{
"version_affected": "\u003c",
"version_value": "4.22.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Behavior Order: Validate Before Canonicalize (CWE-180)."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BAM-21795",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BAM-21795"
},
{
"name": "https://jira.atlassian.com/browse/BSERV-13370",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13370"
},
{
"name": "https://jira.atlassian.com/browse/CONFSERVER-79476",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CONFSERVER-79476"
},
{
"name": "https://jira.atlassian.com/browse/CWD-5815",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CWD-5815"
},
{
"name": "https://jira.atlassian.com/browse/FE-7410",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/FE-7410"
},
{
"name": "https://jira.atlassian.com/browse/CRUC-8541",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/CRUC-8541"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-73897",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-73897"
},
{
"name": "https://jira.atlassian.com/browse/JSDSERVER-11863",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JSDSERVER-11863"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26136",
"datePublished": "2022-07-20T17:25:18.803466Z",
"dateReserved": "2022-02-25T00:00:00",
"dateUpdated": "2024-10-03T16:43:16.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36233 (GCVE-0-2020-36233)
Vulnerability from nvd – Published: 2021-02-18 15:16 – Updated: 2024-09-16 19:30
VLAI?
Summary
The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
Severity ?
No CVSS data available.
CWE
- Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
unspecified , < 6.10.9
(custom)
Affected: 7.0.0 , < unspecified (custom) Affected: unspecified , < 7.6.4 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.10.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"name": "VU#240785",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/240785"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "6.10.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.6.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-02-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-18T19:06:08",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"name": "VU#240785",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://www.kb.cert.org/vuls/id/240785"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-02-16T00:00:00",
"ID": "CVE-2020-36233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "6.10.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12753",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12753"
},
{
"name": "VU#240785",
"refsource": "CERT-VN",
"url": "https://www.kb.cert.org/vuls/id/240785"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36233",
"datePublished": "2021-02-18T15:16:22.101146Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-16T19:30:12.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14170 (GCVE-0-2020-14170)
Vulnerability from nvd – Published: 2020-07-09 17:20 – Updated: 2024-09-17 04:09
VLAI?
Summary
Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.
Severity ?
No CVSS data available.
CWE
- Server Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
5.4.0 , < unspecified
(custom)
Affected: unspecified , < 7.3.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "7.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T17:20:48",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-09T00:00:00",
"ID": "CVE-2020-14170",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "5.4.0"
},
{
"version_affected": "\u003c",
"version_value": "7.3.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12433",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12433"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14170",
"datePublished": "2020-07-09T17:20:48.079852Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T04:09:37.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14171 (GCVE-0-2020-14171)
Vulnerability from nvd – Published: 2020-07-09 17:17 – Updated: 2024-09-17 02:01
VLAI?
Summary
Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
Severity ?
No CVSS data available.
CWE
- Man-in-the-Middle (MITM)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
4.9.0 , < unspecified
(custom)
Affected: unspecified , < 7.2.4 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.9.0",
"versionType": "custom"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Man-in-the-Middle (MITM)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T17:17:29",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-07-09T00:00:00",
"ID": "CVE-2020-14171",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.2.4"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Man-in-the-Middle (MITM)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12434",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12434"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-14171",
"datePublished": "2020-07-09T17:17:29.210940Z",
"dateReserved": "2020-06-16T00:00:00",
"dateUpdated": "2024-09-17T02:01:36.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15012 (GCVE-0-2019-15012)
Vulnerability from nvd – Published: 2020-01-15 20:46 – Updated: 2024-09-17 04:24
VLAI?
Summary
Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.
Severity ?
No CVSS data available.
CWE
- Path traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
4.13 , < unspecified
(custom)
Affected: unspecified , < 5.16.11 (custom) Affected: 6.0 , < unspecified (custom) Affected: unspecified , < 6.0.11 (custom) Affected: 6.1.0 , < unspecified (custom) Affected: unspecified , < 6.1.9 (custom) Affected: 6.2.0 , < unspecified (custom) Affected: unspecified , < 6.2.7 (custom) Affected: 6.3.0 , < unspecified (custom) Affected: unspecified , < 6.3.6 (custom) Affected: 6.4.0 , < unspecified (custom) Affected: unspecified , < 6.4.4 (custom) Affected: 6.5.0 , < unspecified (custom) Affected: unspecified , < 6.5.3 (custom) Affected: 6.6.0 , < unspecified (custom) Affected: unspecified , < 6.6.3 (custom) Affected: 6.7.0 , < unspecified (custom) Affected: unspecified , < 6.7.3 (custom) Affected: 6.8.0 , < unspecified (custom) Affected: unspecified , < 6.8.2 (custom) Affected: 6.9.0 , < unspecified (custom) Affected: unspecified , < 6.9.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.13",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.13",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Path traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T20:46:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-15012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.13"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.13"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12100",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12100"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15012",
"datePublished": "2020-01-15T20:46:56.181070Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-17T04:24:12.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15010 (GCVE-0-2019-15010)
Vulnerability from nvd – Published: 2020-01-15 20:46 – Updated: 2024-09-16 22:56
VLAI?
Summary
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.
Severity ?
No CVSS data available.
CWE
- Expression Language Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
3.0 , < unspecified
(custom)
Affected: unspecified , < 5.16.11 (custom) Affected: 6.0 , < unspecified (custom) Affected: unspecified , < 6.0.11 (custom) Affected: 6.1.0 , < unspecified (custom) Affected: unspecified , < 6.1.9 (custom) Affected: 6.2.0 , < unspecified (custom) Affected: unspecified , < 6.2.7 (custom) Affected: 6.3.0 , < unspecified (custom) Affected: unspecified , < 6.3.6 (custom) Affected: 6.4.0 , < unspecified (custom) Affected: unspecified , < 6.4.4 (custom) Affected: 6.5.0 , < unspecified (custom) Affected: unspecified , < 6.5.3 (custom) Affected: 6.6.0 , < unspecified (custom) Affected: unspecified , < 6.6.3 (custom) Affected: 6.7.0 , < unspecified (custom) Affected: unspecified , < 6.7.3 (custom) Affected: 6.8.0 , < unspecified (custom) Affected: unspecified , < 6.8.2 (custom) Affected: 6.9.0 , < unspecified (custom) Affected: unspecified , < 6.9.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Expression Language Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T20:46:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-15010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Expression Language Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12098",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15010",
"datePublished": "2020-01-15T20:46:56.108707Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T22:56:09.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20097 (GCVE-0-2019-20097)
Vulnerability from nvd – Published: 2020-01-15 20:46 – Updated: 2024-09-16 18:48
VLAI?
Summary
Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content.
Severity ?
No CVSS data available.
CWE
- Argument Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Bitbucket Server |
Affected:
1.0 , < unspecified
(custom)
Affected: unspecified , < 5.16.11 (custom) Affected: 6.0 , < unspecified (custom) Affected: unspecified , < 6.0.11 (custom) Affected: 6.1.0 , < unspecified (custom) Affected: unspecified , < 6.1.9 (custom) Affected: 6.2.0 , < unspecified (custom) Affected: unspecified , < 6.2.7 (custom) Affected: 6.3.0 , < unspecified (custom) Affected: unspecified , < 6.3.6 (custom) Affected: 6.4.0 , < unspecified (custom) Affected: unspecified , < 6.4.4 (custom) Affected: 6.5.0 , < unspecified (custom) Affected: unspecified , < 6.5.3 (custom) Affected: 6.6.0 , < unspecified (custom) Affected: unspecified , < 6.6.3 (custom) Affected: 6.7.0 , < unspecified (custom) Affected: unspecified , < 6.7.3 (custom) Affected: 6.8.0 , < unspecified (custom) Affected: unspecified , < 6.8.2 (custom) Affected: 6.9.0 , < unspecified (custom) Affected: unspecified , < 6.9.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "1.0",
"versionType": "custom"
},
{
"lessThan": "5.16.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "6.0.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"lessThan": "6.3.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.4.0",
"versionType": "custom"
},
{
"lessThan": "6.4.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.5.0",
"versionType": "custom"
},
{
"lessThan": "6.5.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.6.0",
"versionType": "custom"
},
{
"lessThan": "6.6.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.7.0",
"versionType": "custom"
},
{
"lessThan": "6.7.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.8.0",
"versionType": "custom"
},
{
"lessThan": "6.8.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
},
{
"lessThan": "6.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Argument Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T20:46:56",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-20097",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "1.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Argument Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12099",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12099"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20097",
"datePublished": "2020-01-15T20:46:56.225730Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T18:48:48.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}