gsd-2022-26133
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
Aliases
Aliases
CVE-2022-26133


To clipboard 

{
  "GSD": {
    "alias": "CVE-2022-26133",
    "description": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.",
    "id": "GSD-2022-26133"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26133"
      ],
      "details": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.",
      "id": "GSD-2022-26133",
      "modified": "2023-12-13T01:19:39.490314Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@atlassian.com",
        "DATE_PUBLIC": "2022-03-24T23:00:00",
        "ID": "CVE-2022-26133",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Bitbucket Data Center",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003e=",
                          "version_value": "5.14.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.6.14"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.7.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.17.6"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.18.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.18.4"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "7.19.0"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "7.19.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "7.20.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Atlassian"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Deserialization of untrusted data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://jira.atlassian.com/browse/BSERV-13173",
            "refsource": "MISC",
            "url": "https://jira.atlassian.com/browse/BSERV-13173"
          },
          {
            "name": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html",
            "refsource": "MISC",
            "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.6.14",
                "versionStartIncluding": "5.14.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.17.6",
                "versionStartIncluding": "7.7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.18.4",
                "versionStartIncluding": "7.18.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.19.4",
                "versionStartIncluding": "7.19.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "ID": "CVE-2022-26133"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/BSERV-13173",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://jira.atlassian.com/browse/BSERV-13173"
            },
            {
              "name": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-04-28T17:50Z",
      "publishedDate": "2022-04-20T19:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.