#VU65892 Insufficient verification of data authenticity in Atlassian products - CVE-2022-26137
Published: July 29, 2022
Vulnerability identifier: #VU65892
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-26137
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Atlassian Bamboo
Bitbucket Data Center
Confluence Data Center
Crowd Data Center
Jira Service Management Server
Jira Software
Atlassian Crucible
Atlassian Fisheye
Atlassian Bamboo
Bitbucket Data Center
Confluence Data Center
Crowd Data Center
Jira Service Management Server
Jira Software
Atlassian Crucible
Atlassian Fisheye
Software vendor:
Atlassian
Atlassian
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to origin validation error when processing HTTP requests, related to cross-origin sharing (CORS) in the Servlet Filter. A remote attacker can trick the victim to follow a specially crafted link and access the vulnerable application with the victim’s permissions.
Remediation
Install update from vendor's website.
External links
- https://jira.atlassian.com/browse/CWD-5815
- https://jira.atlassian.com/browse/FE-7410
- https://jira.atlassian.com/browse/JRASERVER-73897
- https://jira.atlassian.com/browse/BAM-21795
- https://jira.atlassian.com/browse/JSDSERVER-11863
- https://jira.atlassian.com/browse/CONFSERVER-79476
- https://jira.atlassian.com/browse/CRUC-8541
- https://jira.atlassian.com/browse/BSERV-13370