CVE-2022-26136
Bamboo Analyse et atténuation des vulnérabilités

Aperçu

A critical vulnerability (CVE-2022-26136) discovered in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third-party apps. The vulnerability affects multiple Atlassian Server and Data Center products including Bamboo, Bitbucket, Confluence, Crowd, Fisheye and Crucible, Jira, and Jira Service Management. Atlassian Cloud sites are not affected as patches have been deployed (Atlassian Advisory).

Détails techniques

The vulnerability exists in how Atlassian products implement Servlet Filters, which are used to intercept and process HTTP requests before they reach backend resources. A Servlet Filter can provide security mechanisms such as authentication, authorization, logging, and auditing. The vulnerability allows attackers to bypass these filters through specially crafted HTTP requests. The CVSS v3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

Impact

The vulnerability can lead to multiple security impacts: authentication bypass where attackers can bypass custom Servlet Filters used by third-party apps to enforce authentication, cross-site scripting (XSS) by bypassing the Servlet Filter used to validate legitimate Atlassian Gadgets, and cross-origin resource sharing (CORS) bypass allowing attackers to access vulnerable applications with victim's permissions (Arctic Wolf).

Atténuation et solutions de contournement

Atlassian has released security patches for all affected products and versions. There are no known workarounds, and updating to the fixed versions is required to remediate the vulnerability. Organizations should upgrade to the latest versions specified in the security advisory. For Confluence Server and Data Center users who previously upgraded during the June 2022 advisory, no additional action is needed as the fix was included in those releases (Atlassian FAQ).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Bamboo Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2024-1597CRITICAL9.8
  • PostgreSQL logoPostgreSQL
  • libreoffice:flatpak::postgresql-jdbc
NonOuiFeb 19, 2024
CVE-2026-21571CRITICAL9.4
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
NonOuiApr 21, 2026
CVE-2026-21570HIGH8.6
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
NonOuiMar 17, 2026
CVE-2024-21687HIGH8.1
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
NonOuiJul 16, 2024
CVE-2024-21689HIGH8
  • Bamboo logoBamboo
  • bamboo
NonOuiAug 20, 2024

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités