CVE-2022-26136
Bamboo 脆弱性の分析と軽減

概要

A critical vulnerability (CVE-2022-26136) discovered in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third-party apps. The vulnerability affects multiple Atlassian Server and Data Center products including Bamboo, Bitbucket, Confluence, Crowd, Fisheye and Crucible, Jira, and Jira Service Management. Atlassian Cloud sites are not affected as patches have been deployed (Atlassian Advisory).

技術的な詳細

The vulnerability exists in how Atlassian products implement Servlet Filters, which are used to intercept and process HTTP requests before they reach backend resources. A Servlet Filter can provide security mechanisms such as authentication, authorization, logging, and auditing. The vulnerability allows attackers to bypass these filters through specially crafted HTTP requests. The CVSS v3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

影響

The vulnerability can lead to multiple security impacts: authentication bypass where attackers can bypass custom Servlet Filters used by third-party apps to enforce authentication, cross-site scripting (XSS) by bypassing the Servlet Filter used to validate legitimate Atlassian Gadgets, and cross-origin resource sharing (CORS) bypass allowing attackers to access vulnerable applications with victim's permissions (Arctic Wolf).

軽減策と回避策

Atlassian has released security patches for all affected products and versions. There are no known workarounds, and updating to the fixed versions is required to remediate the vulnerability. Organizations should upgrade to the latest versions specified in the security advisory. For Confluence Server and Data Center users who previously upgraded during the June 2022 advisory, no additional action is needed as the fix was included in those releases (Atlassian FAQ).

関連情報


ソースこのレポートは AI を使用して生成されました

関連 Bamboo 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2024-1597CRITICAL9.8
  • PostgreSQL logoPostgreSQL
  • libreoffice:flatpak::postgresql-jdbc
いいえはいFeb 19, 2024
CVE-2026-21571CRITICAL9.4
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
いいえはいApr 21, 2026
CVE-2026-21570HIGH8.6
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
いいえはいMar 17, 2026
CVE-2024-21687HIGH8.1
  • Bamboo logoBamboo
  • cpe:2.3:a:atlassian:bamboo
いいえはいJul 16, 2024
CVE-2024-21689HIGH8
  • Bamboo logoBamboo
  • bamboo
いいえはいAug 20, 2024

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者