CVE-2022-26135

Description

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

References

Link	Tags
https://jira.atlassian.com/browse/JRASERVER-73863	vendor advisory
https://jira.atlassian.com/browse/JSDSERVER-11840	vendor advisory
https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022	mitigation vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-26135?: CVE-2022-26135 has been scored as a medium severity vulnerability.
How to fix CVE-2022-26135?: To fix CVE-2022-26135, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-26135 being actively exploited in the wild?: It is possible that CVE-2022-26135 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~91% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-26135?: CVE-2022-26135 affects Atlassian Jira Core Server, Atlassian Jira Software Server, Atlassian Jira Software Data Center, Atlassian Jira Service Management Server, Atlassian Jira Service Management Data Center.

Description

Category

CWE-918 – Server-Side Request Forgery (SSRF)

References

Frequently Asked Questions