Details
-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
9.4.0, 8.20.15
-
6.5
-
Medium
-
CVE-2022-22970
Description
Jira is not impacted (no action is required) as the vulnerability cannot be exploited.
All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira does not use the affected methods from the Spring, hence is not impacted:
- CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, we use commons-fileupload v1.3.3.
- CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets
No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.
----------------------------------------------
Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.
Affected versions:
- version < 9.6.0
Fixed versions:
- 9.6.0