Introduction
Atlassian Jira is an issue tracking software application used for bug tracking and agile project management.
Summary
On July 6, 2022, the Sangfor security team received a notice about a server side request forgery vulnerability (CVE-2022-26135) in Atlassian Jira, classified as medium with a CVSS score of 6.5.
A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.
Affected Versions
8.0 ≤ Jira Core Server/Jira Software Server/Jira Software Data Center < 8.13.22
8.14.0 ≤ Jira Core Server/Jira Software Server/Jira Software Data Center < 8.20.10
8.21.0 ≤ Jira Core Server/Jira Software Server/Jira Software Data Center < 8.22.4
4.0 ≤ Jira Service Management Server/Data Center < 4.13.22
4.14.0 ≤ Jira Service Management Server/Data Center < 4.20.10
4.21.0 ≤ Jira Service Management Server/Data Center < 4.22.4
Timeline
On July 6, 2022, Sangfor received a notice about the Atlassian Jira server side request forgery vulnerability (CVE-2022-26135).
On July 6, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
