Cyber Resilience

CVE-2022-26137

High

Published: 20 July 2022

Published
20 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26137 is a high-severity Incorrect Behavior Order: Validate Before Canonicalize (CWE-180) vulnerability in Atlassian Bitbucket. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability:…

more

Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
bamboo
7.2.0 — 7.2.10 · 8.0.0 — 8.0.9 · 8.1.0 — 8.1.8
atlassian
bitbucket
8.0.0, 8.1.0 · ≤ 7.6.16 · 7.7.0 — 7.17.8 · 7.18.0 — 7.19.5
atlassian
confluence data center
7.18.0 · ≤ 7.4.17 · 7.5.0 — 7.13.7 · 7.14.0 — 7.14.3
atlassian
confluence server
7.18.0 · ≤ 7.4.17 · 7.5.0 — 7.13.7 · 7.14.0 — 7.14.3
atlassian
crowd
5.0.0 · ≤ 4.3.8 · 4.4.0 — 4.4.2
atlassian
crucible
≤ 4.8.10
atlassian
fisheye
≤ 4.8.10
atlassian
jira data center
8.13.0 — 8.13.22 · 8.14.0 — 8.20.10 · 8.21.0 — 8.22.4
atlassian
jira server
8.13.0 — 8.13.22 · 8.14.0 — 8.20.10 · 8.21.0 — 8.22.4
atlassian
jira service desk
≤ 4.13.22 · ≤ 4.13.22
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

References