CVE-2022-26137
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-26137
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不正确的行为次序:规范化之前验证
Source: NVD (National Vulnerability Database)
Vulnerability Title
Atlassian Crowd和Atlassian Jira 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Atlassian Crowd和Atlassian Jira都是澳大利亚Atlassian公司的产品。Atlassian Crowd是一套基于Web的单点登录系统。该系统为多用户、网络应用程序和目录服务器提供验证、授权等功能。Atlassian Jira是一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。 Atlassian Crowd Server 和 Data Center 存在安全漏洞,未经身份验证的远程攻击者可能会导致调用其他 Servlet 过滤器。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Atlassian | Bamboo Server | unspecified ~ 8.0.9 | - | |
| Atlassian | Bamboo Data Center | unspecified ~ 8.0.9 | - | |
| Atlassian | Bitbucket Server | unspecified ~ 7.6.16 | - | |
| Atlassian | Bitbucket Data Center | unspecified ~ 7.6.16 | - | |
| Atlassian | Confluence Server | unspecified ~ 7.4.17 | - | |
| Atlassian | Confluence Data Center | unspecified ~ 7.4.17 | - | |
| Atlassian | Crowd Server | unspecified ~ 4.3.8 | - | |
| Atlassian | Crowd Data Center | unspecified ~ 4.3.8 | - | |
| Atlassian | Crucible | unspecified ~ 4.8.10 | - | |
| Atlassian | Fisheye | unspecified ~ 4.8.10 | - | |
| Atlassian | Jira Core Server | unspecified ~ 8.13.22 | - | |
| Atlassian | Jira Software Server | unspecified ~ 8.13.22 | - | |
| Atlassian | Jira Software Data Center | unspecified ~ 8.13.22 | - | |
| Atlassian | Jira Service Management Server | unspecified ~ 4.13.22 | - | |
| Atlassian | Jira Service Management Data Center | unspecified ~ 4.13.22 | - |
II. Public POCs for CVE-2022-26137
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-26137
请登录查看更多情报信息。
- https://jira.atlassian.com/browse/CWD-5815x_refsource_MISC
- https://jira.atlassian.com/browse/CRUC-8541x_refsource_MISC
- https://jira.atlassian.com/browse/JSDSERVER-11863x_refsource_MISC
- https://jira.atlassian.com/browse/CONFSERVER-79476x_refsource_MISC
- https://jira.atlassian.com/browse/FE-7410x_refsource_MISC
- https://jira.atlassian.com/browse/BAM-21795x_refsource_MISC
- https://jira.atlassian.com/browse/JRASERVER-73897x_refsource_MISC
- https://jira.atlassian.com/browse/BSERV-13370x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-26137
Same Patch Batch · Atlassian · 2022-07-20 · 3 CVEs total
| CVE-2022-26136 | Atlassian Crowd和Atlassian Jira 授权问题漏洞 | |
| CVE-2022-26138 | Atlassian Confluence Server 信任管理问题漏洞 |
IV. Related Vulnerabilities
Same weakness: CWE-180
- CVE-2026-39409
Hono has incorrect IP matching in ipRestriction() for IPv4-m - CVE-2026-39364
Vite has a `server.fs.deny` bypass with queries - CVE-2026-34786
Rack: Rack::Static header_rules bypass via URL-encoded paths - CVE-2026-34475
Varnish Cache 安全漏洞 - CVE-2026-24895
FrankenPHP affected by Path Confusion via Unicode casing in
V. Comments for CVE-2022-26137
No comments yet