阿里云漏洞库

漏洞描述

Atlassian Crowd和Atlassian Jira都是澳大利亚Atlassian公司的产品。Atlassian Crowd是一套基于Web的单点登录系统。该系统为多用户、网络应用程序和目录服务器提供验证、授权等功能。Atlassian Jira是一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。

Atlassian Crowd Server 和 Data Center 存在安全漏洞，未经身份验证的远程攻击者可能会导致调用其他 Servlet 过滤器。

解决建议

At present, the manufacturer has issued an upgrade patch to fix the vulnerability. The link to obtain the patch is as follows:

https://jira.atlassian.com/browse/CWD-5815

参考链接
https://jira.atlassian.com/browse/BAM-21795
https://jira.atlassian.com/browse/BSERV-13370
https://jira.atlassian.com/browse/CONFSERVER-79476
https://jira.atlassian.com/browse/CRUC-8541
https://jira.atlassian.com/browse/CWD-5815
https://jira.atlassian.com/browse/FE-7410
https://jira.atlassian.com/browse/JRASERVER-73897
https://jira.atlassian.com/browse/JSDSERVER-11863

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	atlassian	bamboo	*	From (including) 7.2.0	Up to (excluding) 7.2.10
	运行在以下环境
	应用	atlassian	bamboo	*	From (including) 8.0.0	Up to (excluding) 8.0.9
	运行在以下环境
	应用	atlassian	bamboo	*	From (including) 8.1.0	Up to (excluding) 8.1.8
	运行在以下环境
	应用	atlassian	bamboo	*	From (including) 8.2.0	Up to (excluding) 8.2.4
	运行在以下环境
	应用	atlassian	bitbucket	*		Up to (excluding) 7.6.16
	运行在以下环境
	应用	atlassian	bitbucket	*	From (including) 7.18.0	Up to (excluding) 7.19.5
	运行在以下环境
	应用	atlassian	bitbucket	*	From (including) 7.20.0	Up to (excluding) 7.20.2
	运行在以下环境
	应用	atlassian	bitbucket	*	From (including) 7.21.0	Up to (excluding) 7.21.2
	运行在以下环境
	应用	atlassian	bitbucket	*	From (including) 7.7.0	Up to (excluding) 7.17.8
	运行在以下环境
	应用	atlassian	bitbucket	8.0.0	-
	运行在以下环境
	应用	atlassian	bitbucket	8.1.0	-
	运行在以下环境
	应用	atlassian	confluence_data_center	*		Up to (excluding) 7.4.17
	运行在以下环境
	应用	atlassian	confluence_data_center	*	From (including) 7.14.0	Up to (excluding) 7.14.3
	运行在以下环境
	应用	atlassian	confluence_data_center	*	From (including) 7.15.0	Up to (excluding) 7.15.2
	运行在以下环境
	应用	atlassian	confluence_data_center	*	From (including) 7.16.0	Up to (excluding) 7.16.4
	运行在以下环境
	应用	atlassian	confluence_data_center	*	From (including) 7.17.0	Up to (excluding) 7.17.4
	运行在以下环境
	应用	atlassian	confluence_data_center	*	From (including) 7.5.0	Up to (excluding) 7.13.7
	运行在以下环境
	应用	atlassian	confluence_data_center	7.18.0	-
	运行在以下环境
	应用	atlassian	confluence_server	*		Up to (excluding) 7.4.17
	运行在以下环境
	应用	atlassian	confluence_server	*	From (including) 7.14.0	Up to (excluding) 7.14.3
	运行在以下环境
	应用	atlassian	confluence_server	*	From (including) 7.15.0	Up to (excluding) 7.15.2
	运行在以下环境
	应用	atlassian	confluence_server	*	From (including) 7.16.0	Up to (excluding) 7.16.4
	运行在以下环境
	应用	atlassian	confluence_server	*	From (including) 7.17.0	Up to (excluding) 7.17.4
	运行在以下环境
	应用	atlassian	confluence_server	*	From (including) 7.5.0	Up to (excluding) 7.13.7
	运行在以下环境
	应用	atlassian	confluence_server	7.18.0	-
	运行在以下环境
	应用	atlassian	crowd	*		Up to (excluding) 4.3.8
	运行在以下环境
	应用	atlassian	crowd	*	From (including) 4.4.0	Up to (excluding) 4.4.2
	运行在以下环境
	应用	atlassian	crowd	5.0.0	-
	运行在以下环境
	应用	atlassian	crucible	*		Up to (excluding) 4.8.10
	运行在以下环境
	应用	atlassian	fisheye	*		Up to (excluding) 4.8.10
	运行在以下环境
	应用	atlassian	jira_data_center	*	From (including) 8.13.0	Up to (excluding) 8.13.22
	运行在以下环境
应用	atlassian	jira_data_center	*	From (including) 8.14.0	Up to (excluding) 8.20.10
运行在以下环境
应用	atlassian	jira_data_center	*	From (including) 8.21.0	Up to (excluding) 8.22.4
运行在以下环境
应用	atlassian	jira_server	*	From (including) 8.13.0	Up to (excluding) 8.13.22
运行在以下环境
应用	atlassian	jira_server	*	From (including) 8.14.0	Up to (excluding) 8.20.10
运行在以下环境
应用	atlassian	jira_server	*	From (including) 8.21.0	Up to (excluding) 8.22.4
运行在以下环境
应用	atlassian	jira_service_desk	*		Up to (excluding) 4.13.22
运行在以下环境
应用	atlassian	jira_service_management	*	From (including) 4.14.0	Up to (excluding) 4.20.10
运行在以下环境
应用	atlassian	jira_service_management	*	From (including) 4.21.0	Up to (excluding) 4.22.4

攻击路径

远程
攻击复杂度

复杂
权限要求

无需权限
影响范围

全局影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-346	源验证错误

中危 Atlassian Crowd和Atlassian Jira 访问控制错误漏洞（CVE-2022-26137）

漏洞描述

解决建议

参考链接

受影响软件情况