CVE-2022-26135

Summary

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Affected Software

VendorProductVersion RangeStatus
AtlassianJira Core Server8.0.0 < unspecifiedaffected
AtlassianJira Core Serverunspecified < 8.13.22affected
AtlassianJira Core Server8.14.0 < unspecifiedaffected
AtlassianJira Core Serverunspecified < 8.20.10affected
AtlassianJira Core Server8.21.0 < unspecifiedaffected
AtlassianJira Core Serverunspecified < 8.22.4affected
AtlassianJira Software Server8.0.0 < unspecifiedaffected
AtlassianJira Software Serverunspecified < 8.13.22affected
AtlassianJira Software Server8.14.0 < unspecifiedaffected
AtlassianJira Software Serverunspecified < 8.20.10affected
AtlassianJira Software Server8.21.0 < unspecifiedaffected
AtlassianJira Software Serverunspecified < 8.22.4affected
AtlassianJira Software Data Center8.0.0 < unspecifiedaffected
AtlassianJira Software Data Centerunspecified < 8.13.22affected
AtlassianJira Software Data Center8.14.0 < unspecifiedaffected
AtlassianJira Software Data Centerunspecified < 8.20.10affected
AtlassianJira Software Data Center8.21.0 < unspecifiedaffected
AtlassianJira Software Data Centerunspecified < 8.22.4affected
AtlassianJira Service Management Server4.0.0 < unspecifiedaffected
AtlassianJira Service Management Serverunspecified < 4.13.22affected
AtlassianJira Service Management Server4.14.0 < unspecifiedaffected
AtlassianJira Service Management Serverunspecified < 4.20.10affected
AtlassianJira Service Management Server4.21.0 < unspecifiedaffected
AtlassianJira Service Management Serverunspecified < 4.22.4affected
AtlassianJira Service Management Data Center4.0.0 < unspecifiedaffected
AtlassianJira Service Management Data Centerunspecified < 4.13.22affected
AtlassianJira Service Management Data Center4.14.0 < unspecifiedaffected
AtlassianJira Service Management Data Centerunspecified < 4.20.10affected
AtlassianJira Service Management Data Center4.21.0 < unspecifiedaffected
AtlassianJira Service Management Data Centerunspecified < 4.22.4affected

Weaknesses

  • Server-side Request Forgery

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References