Cyber Resilience

CVE-2022-26136

Critical

Published: 20 July 2022

Published
20 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 54.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26136 is a critical-severity Incorrect Behavior Order: Validate Before Canonicalize (CWE-180) vulnerability in Atlassian Bitbucket. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This…

more

vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
bamboo
7.2.0 — 7.2.10 · 8.0.0 — 8.0.9 · 8.1.0 — 8.1.8
atlassian
bitbucket
8.0.0, 8.1.0 · ≤ 7.6.16 · 7.7.0 — 7.17.8 · 7.18.0 — 7.19.5
atlassian
confluence data center
7.18.0 · ≤ 7.4.17 · 7.5.0 — 7.13.7 · 7.14.0 — 7.14.3
atlassian
confluence server
7.18.0 · ≤ 7.4.17 · 7.5.0 — 7.13.7 · 7.14.0 — 7.14.3
atlassian
crowd
5.0.0 · ≤ 4.3.8 · 4.4.0 — 4.4.2
atlassian
crucible
≤ 4.8.10
atlassian
fisheye
≤ 4.8.10
atlassian
jira data center
8.13.0 — 8.13.22 · 8.14.0 — 8.20.10 · 8.21.0 — 8.22.4
atlassian
jira server
8.13.0 — 8.13.22 · 8.14.0 — 8.20.10 · 8.21.0 — 8.22.4
atlassian
jira service desk
≤ 4.13.22 · ≤ 4.13.22
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

addresses: CWE-287

Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.

addresses: CWE-287

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

References