Rapid7 Vulnerability & Exploit Database

Atlassian JIRA: Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server (CVE-2022-26135)

Back to Search

Atlassian JIRA: Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server (CVE-2022-26135)

Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
06/30/2022
Created
08/29/2022
Added
07/25/2022
Modified
07/25/2022

Description

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Solution(s)

  • atlassian-jira-upgrade-8_13_22
  • atlassian-jira-upgrade-8_20_10
  • atlassian-jira-upgrade-8_22_4

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;