CVE-2022-26137

Name of the Vulnerable Software and Affected Versions Atlassian Bamboo versions prior to 8.0.9 Atlassian Bamboo versions 8.1.0 through 8.1.8 Atlassian Bamboo versions 8.2.0 through 8.2.4 Atlassian Bitbucket versions prior to 7.6.16 Atlassian Bitbucket versions 7.7.0 through 7.17.8 Atlassian Bitbucket versions 7.18.0 through 7.19.5 Atlassian Bitbucket versions 7.20.0 through 7.20.2 Atlassian Bitbucket versions 7.21.0 through 7.21.2 Atlassian Bitbucket versions 8.0.0 and 8.1.0 Atlassian Confluence versions prior to 7.4.17 Atlassian Confluence versions 7.5.0 through 7.13.7 Atlassian Confluence versions 7.14.0 through 7.14.3 Atlassian Confluence versions 7.15.0 through 7.15.2 Atlassian Confluence versions 7.16.0 through 7.16.4 Atlassian Confluence versions 7.17.0 through 7.17.4 Atlassian Confluence version 7.21.0 Atlassian Crowd versions prior to 4.3.8 Atlassian Crowd versions 4.4.0 through 4.4.2 Atlassian Crowd version 5.0.0 Atlassian Fisheye and Crucible versions prior to 4.8.10 Atlassian Jira versions prior to 8.13.22 Atlassian Jira versions 8.14.0 through 8.20.10 Atlassian Jira versions 8.21.0 through 8.22.4 Atlassian Jira Service Management versions prior to 4.13.22 Atlassian Jira Service Management versions 4.14.0 through 4.20.10 Atlassian Jira Service Management versions 4.21.0 through 4.22.4

Description A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.

Recommendations Update Atlassian Bamboo to version 8.0.9 or later. Update Atlassian Bamboo to version 8.1.8 or later for versions 8.1.0 through 8.1.8. Update Atlassian Bamboo to version 8.2.4 or later for versions 8.2.0 through 8.2.4. Update Atlassian Bitbucket to version 7.6.16 or later. Update Atlassian Bitbucket to version 7.17.8 or later for versions 7.7.0 through 7.17.8. Update Atlassian Bitbucket to version 7.19.5 or later for versions 7.18.0 through 7.19.5. Update Atlassian Bitbucket to version 7.20.2 or later for versions 7.20.0 through 7.20.2. Update Atlassian Bitbucket to version 7.21.2 or later for versions 7.21.0 through 7.21.2. Update Atlassian Bitbucket to version 8.1.1 or later for versions 8.0.0 and 8.1.0. Update Atlassian Confluence to version 7.4.17 or later. Update Atlassian Confluence to version 7.13.7 or later for versions 7.5.0 through 7.13.7. Update Atlassian Confluence to version 7.14.3 or later for versions 7.14.0 through 7.14.3. Update Atlassian Confluence to version 7.15.2 or later for versions 7.15.0 through 7.15.2. Update Atlassian Confluence to version 7.16.4 or later for versions 7.16.0 through 7.16.4. Update Atlassian Confluence to version 7.17.4 or later for versions 7.17.0 through 7.17.4. Update Atlassian Confluence to version 7.21.1 or later for version 7.21.0. Update Atlassian Crowd to version 4.3.8 or later. Update Atlassian Crowd to version 4.4.2 or later for versions 4.4.0 through 4.4.2. Update Atlassian Crowd to version 5.0.1 or later for version 5.0.0. Update Atlassian Fisheye and Crucible to version 4.8.10 or later. Update Atlassian Jira to version 8.13.22 or later. Update Atlassian Jira to version 8.20.10 or later for versions 8.14.0 through 8.20.10. Update Atlassian Jira to version 8.22.4 or later for versions 8.21.0 through 8.22.4. Update Atlassian Jira Service Management to version 4.13.22 or later. Update Atlassian Jira Service Management to version 4.20.10 or later for versions 4.14.0 through 4.20.10. Update Atlassian Jira Service Management to version 4.22.4 or later for versions 4.21.0 through 4.22.4.