Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-73863

Full Read SSRF in Mobile Plugin CVE-2022-26135

XMLWordPrintable

    • 7.2
    • High
    • CVE-2022-26135

      A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4.

      We would like to acknowledge Shubham Shah and Dylan Pindur of Assetnote for finding this vulnerability.

      Affected versions:

      • versions >= 8.0.0 and < 8.13.22
      • 8.14.x
      • 8.15.x
      • 8.16.x
      • 8.17.x
      • 8.18.x
      • 8.19.x
      • 8.20.x < 8.20.10
      • 8.22.x < 8.22.4

      Fixed versions:

      • 8.13.x >= 8.13.22
      • 8.20.x >= 8.20.10
      • 8.22.x >= 8.22.4
      • 9.0.0

            [JRASERVER-73863] Full Read SSRF in Mobile Plugin CVE-2022-26135

            raj-kumar2 added a comment -

            What if we have this mobile plugin disabled in Jira? Do we still need to apply the patches?

            raj-kumar2 added a comment - What if we have this mobile plugin disabled in Jira? Do we still need to apply the patches?

            Zachary Shue added a comment -

            CVSS score claims Privileges Required: None.

             

            But the description of the issue states:

            "A vulnerability in Mobile Plugin for Jira Data Center and Server allows *****a remote, authenticated user (including a user who joined via the sign-up feature)***** to perform a full read server-side request forgery via a batch endpoint. "

             

            These two things conflict here, do we know which is true?

            Zachary Shue added a comment - CVSS score claims Privileges Required: None.   But the description of the issue states: "A vulnerability in Mobile Plugin for Jira Data Center and Server allows ***** a remote, authenticated user (including a user who joined via the sign-up feature) ***** to perform a full read server-side request forgery via a batch endpoint. "   These two things conflict here, do we know which is true?

            kemal added a comment -

            How can we resolve CVE-2022-26135 this CVE issue?

            kemal added a comment - How can we resolve CVE-2022-26135 this CVE issue?

            rshah2 added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 7.2 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

            rshah2 added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.2 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: