CVE-2022-26133 - Vulnerability Details - OpenCVE

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.81388.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Atlassian	Bitbucket Data Center

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:bitbucket_data_center::::::::
	cpe:2.3:a:atlassian:bitbucket_data_center::::::::
	cpe:2.3:a:atlassian:bitbucket_data_center::::::::
	cpe:2.3:a:atlassian:bitbucket_data_center::::::::
	cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:::::::*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html
https://jira.atlassian.com/browse/BSERV-13173

History

Thu, 03 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2022-04-20T18:30:19.225869Z

Updated: 2024-10-03T14:55:36.962Z

Reserved: 2022-02-25T00:00:00

Link: CVE-2022-26133

Vulnrichment

Updated: 2024-08-03T04:56:37.656Z

NVD

Status : Modified

Published: 2022-04-20T19:15:08.157

Modified: 2024-11-21T06:53:29.743

Link: CVE-2022-26133

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Bitbucket Data Center", "vendor": "Atlassian", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "5.14.0", "versionType": "custom"}, {"lessThan": "7.6.14", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.7.0", "versionType": "custom"}, {"lessThan": "7.17.6", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.18.0", "versionType": "custom"}, {"lessThan": "7.18.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.19.0", "versionType": "custom"}, {"lessThan": "7.19.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "7.20.0"}]}], "datePublic": "2022-03-24T00:00:00", "descriptions": [{"lang": "en", "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."}], "problemTypes": [{"descriptions": [{"description": "Deserialization of untrusted data", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-20T18:30:19", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/BSERV-13173"}, {"tags": ["x_refsource_MISC"], "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-03-24T23:00:00", "ID": "CVE-2022-26133", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Bitbucket Data Center", "version": {"version_data": [{"version_affected": ">=", "version_value": "5.14.0"}, {"version_affected": "<", "version_value": "7.6.14"}, {"version_affected": ">=", "version_value": "7.7.0"}, {"version_affected": "<", "version_value": "7.17.6"}, {"version_affected": ">=", "version_value": "7.18.0"}, {"version_affected": "<", "version_value": "7.18.4"}, {"version_affected": ">=", "version_value": "7.19.0"}, {"version_affected": "<", "version_value": "7.19.4"}, {"version_affected": "=", "version_value": "7.20.0"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Deserialization of untrusted data"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/BSERV-13173", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/BSERV-13173"}, {"name": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html", "refsource": "MISC", "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.656Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/BSERV-13173"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "affected": [{"vendor": "atlassian", "product": "bitbucket_data_center", "cpes": ["cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.14.0", "status": "affected", "lessThan": "7.6.14", "versionType": "custom"}, {"version": "7.7.0", "status": "affected", "lessThan": "7.17.6", "versionType": "custom"}, {"version": "7.18.0", "status": "affected", "lessThan": "7.18.4", "versionType": "custom"}, {"version": "7.19.0", "status": "affected", "lessThan": "7.19.4", "versionType": "custom"}]}, {"vendor": "atlassian", "product": "bitbucket_data_center", "cpes": ["cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.20.0", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T14:41:09.024921Z", "id": "CVE-2022-26133", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T14:55:36.962Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2022-26133", "datePublished": "2022-04-20T18:30:19.225869Z", "dateReserved": "2022-02-25T00:00:00", "dateUpdated": "2024-10-03T14:55:36.962Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.atlassian.com/browse/BSERV-13173", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.656Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-26133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-03T14:41:09.024921Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*"], "vendor": "atlassian", "product": "bitbucket_data_center", "versions": [{"status": "affected", "version": "5.14.0", "lessThan": "7.6.14", "versionType": "custom"}, {"status": "affected", "version": "7.7.0", "lessThan": "7.17.6", "versionType": "custom"}, {"status": "affected", "version": "7.18.0", "lessThan": "7.18.4", "versionType": "custom"}, {"status": "affected", "version": "7.19.0", "lessThan": "7.19.4", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*"], "vendor": "atlassian", "product": "bitbucket_data_center", "versions": [{"status": "affected", "version": "7.20.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T14:44:46.842Z"}}], "cna": {"affected": [{"vendor": "Atlassian", "product": "Bitbucket Data Center", "versions": [{"status": "affected", "version": "5.14.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "7.6.14", "versionType": "custom"}, {"status": "affected", "version": "7.7.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "7.17.6", "versionType": "custom"}, {"status": "affected", "version": "7.18.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "7.18.4", "versionType": "custom"}, {"status": "affected", "version": "7.19.0", "lessThan": "unspecified", "versionType": "custom"}, {"status": "affected", "version": "unspecified", "lessThan": "7.19.4", "versionType": "custom"}, {"status": "affected", "version": "7.20.0"}]}], "datePublic": "2022-03-24T00:00:00", "references": [{"url": "https://jira.atlassian.com/browse/BSERV-13173", "tags": ["x_refsource_MISC"]}, {"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Deserialization of untrusted data"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2022-04-20T18:30:19"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "5.14.0", "version_affected": ">="}, {"version_value": "7.6.14", "version_affected": "<"}, {"version_value": "7.7.0", "version_affected": ">="}, {"version_value": "7.17.6", "version_affected": "<"}, {"version_value": "7.18.0", "version_affected": ">="}, {"version_value": "7.18.4", "version_affected": "<"}, {"version_value": "7.19.0", "version_affected": ">="}, {"version_value": "7.19.4", "version_affected": "<"}, {"version_value": "7.20.0", "version_affected": "="}]}, "product_name": "Bitbucket Data Center"}]}, "vendor_name": "Atlassian"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://jira.atlassian.com/browse/BSERV-13173", "name": "https://jira.atlassian.com/browse/BSERV-13173", "refsource": "MISC"}, {"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html", "name": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Deserialization of untrusted data"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-26133", "STATE": "PUBLIC", "ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-03-24T23:00:00"}}}}, "cveMetadata": {"cveId": "CVE-2022-26133", "state": "PUBLISHED", "dateUpdated": "2024-10-03T14:55:36.962Z", "dateReserved": "2022-02-25T00:00:00", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2022-04-20T18:30:19.225869Z", "assignerShortName": "atlassian"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E530A6D-88FB-4E3F-8C2D-03298F4D3DC8", "versionEndExcluding": "7.6.14", "versionStartIncluding": "5.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "C51DBE72-FBFC-49ED-B81D-A9BFD76FFDE1", "versionEndExcluding": "7.17.6", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "05ACFD2B-BE5A-4D7A-831C-0E1AF803DCAD", "versionEndExcluding": "7.18.4", "versionStartIncluding": "7.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "16F97B63-963E-440E-A671-E87FBB658504", "versionEndExcluding": "7.19.4", "versionStartIncluding": "7.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF9D614F-F4C6-4AC5-88E1-A979A5DDE654", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."}, {"lang": "es", "value": "SharedSecretClusterAuthenticator en Atlassian Bitbucket Data Center versiones 5.14.0 y posteriores anteriores a 7.6.14, versiones 7.7.0 y posteriores anteriores a 7.17.6, versiones 7.18.0 y posteriores anteriores a 7.18.4, versiones 7.19.0 y posteriores anteriores a 7.19.4, y versi\u00f3n 7.20.0, permiten a un atacante remoto no autenticado ejecutar c\u00f3digo arbitrario por medio de una deserializaci\u00f3n de Java"}], "id": "CVE-2022-26133", "lastModified": "2024-11-21T06:53:29.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-04-20T19:15:08.157", "references": [{"source": "security@atlassian.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"}, {"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/BSERV-13173"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/BSERV-13173"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}