CVE-2022-26135
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Atlassian | Jira Core Server | 8.0.0 < unspecified | affected |
| Atlassian | Jira Core Server | unspecified < 8.13.22 | affected |
| Atlassian | Jira Core Server | 8.14.0 < unspecified | affected |
| Atlassian | Jira Core Server | unspecified < 8.20.10 | affected |
| Atlassian | Jira Core Server | 8.21.0 < unspecified | affected |
| Atlassian | Jira Core Server | unspecified < 8.22.4 | affected |
| Atlassian | Jira Software Server | 8.0.0 < unspecified | affected |
| Atlassian | Jira Software Server | unspecified < 8.13.22 | affected |
| Atlassian | Jira Software Server | 8.14.0 < unspecified | affected |
| Atlassian | Jira Software Server | unspecified < 8.20.10 | affected |
| Atlassian | Jira Software Server | 8.21.0 < unspecified | affected |
| Atlassian | Jira Software Server | unspecified < 8.22.4 | affected |
| Atlassian | Jira Software Data Center | 8.0.0 < unspecified | affected |
| Atlassian | Jira Software Data Center | unspecified < 8.13.22 | affected |
| Atlassian | Jira Software Data Center | 8.14.0 < unspecified | affected |
| Atlassian | Jira Software Data Center | unspecified < 8.20.10 | affected |
| Atlassian | Jira Software Data Center | 8.21.0 < unspecified | affected |
| Atlassian | Jira Software Data Center | unspecified < 8.22.4 | affected |
| Atlassian | Jira Service Management Server | 4.0.0 < unspecified | affected |
| Atlassian | Jira Service Management Server | unspecified < 4.13.22 | affected |
| Atlassian | Jira Service Management Server | 4.14.0 < unspecified | affected |
| Atlassian | Jira Service Management Server | unspecified < 4.20.10 | affected |
| Atlassian | Jira Service Management Server | 4.21.0 < unspecified | affected |
| Atlassian | Jira Service Management Server | unspecified < 4.22.4 | affected |
| Atlassian | Jira Service Management Data Center | 4.0.0 < unspecified | affected |
| Atlassian | Jira Service Management Data Center | unspecified < 4.13.22 | affected |
| Atlassian | Jira Service Management Data Center | 4.14.0 < unspecified | affected |
| Atlassian | Jira Service Management Data Center | unspecified < 4.20.10 | affected |
| Atlassian | Jira Service Management Data Center | 4.21.0 < unspecified | affected |
| Atlassian | Jira Service Management Data Center | unspecified < 4.22.4 | affected |
Weaknesses
- Server-side Request Forgery
ADP Enrichment
CVE Program Container
Additional References
- https://jira.atlassian.com/browse/JRASERVER-73863
- https://jira.atlassian.com/browse/JSDSERVER-11840
- https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://jira.atlassian.com/browse/JRASERVER-73863
- https://jira.atlassian.com/browse/JSDSERVER-11840
- https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.