Jira is not impacted (no action is required) as the vulnerability cannot be exploited.

All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira does not use the affected methods from the Spring, hence is not impacted:

• CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, we use commons-fileupload v1.3.3.
• CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets

No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.

----------------------------------------------

Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

Affected versions:

• version < 9.6.0

Fixed versions:

• 9.6.0