CVE-2022-26136
Bamboo Análisis y mitigación de vulnerabilidades

Vista general

A critical vulnerability (CVE-2022-26136) discovered in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third-party apps. The vulnerability affects multiple Atlassian Server and Data Center products including Bamboo, Bitbucket, Confluence, Crowd, Fisheye and Crucible, Jira, and Jira Service Management. Atlassian Cloud sites are not affected as patches have been deployed (Atlassian Advisory).

Técnicas

The vulnerability exists in how Atlassian products implement Servlet Filters, which are used to intercept and process HTTP requests before they reach backend resources. A Servlet Filter can provide security mechanisms such as authentication, authorization, logging, and auditing. The vulnerability allows attackers to bypass these filters through specially crafted HTTP requests. The CVSS v3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

Impacto

The vulnerability can lead to multiple security impacts: authentication bypass where attackers can bypass custom Servlet Filters used by third-party apps to enforce authentication, cross-site scripting (XSS) by bypassing the Servlet Filter used to validate legitimate Atlassian Gadgets, and cross-origin resource sharing (CORS) bypass allowing attackers to access vulnerable applications with victim's permissions (Arctic Wolf).

Mitigación y soluciones alternativas

Atlassian has released security patches for all affected products and versions. There are no known workarounds, and updating to the fixed versions is required to remediate the vulnerability. Organizations should upgrade to the latest versions specified in the security advisory. For Confluence Server and Data Center users who previously upgraded during the June 2022 advisory, no additional action is needed as the fix was included in those releases (Atlassian FAQ).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Bamboo Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2024-1597CRITICAL9.8
  • PostgreSQL logoPostgreSQL
  • libreoffice:flatpak::postgresql-jdbc
NoFeb 19, 2024
CVE-2026-21571CRITICAL9.4
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
NoApr 21, 2026
CVE-2026-21570HIGH8.6
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
NoMar 17, 2026
CVE-2024-21687HIGH8.1
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
NoJul 16, 2024
CVE-2024-21689HIGH8
  • Bamboo logoBamboo
  • bamboo
NoAug 20, 2024

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades