CVE-2022-26135

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
atlassianCNA
---
---
CVEADP
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
atlassianjira_data_center
8.0.0 ≤
𝑥
< 8.13.22
atlassianjira_data_center
8.14.0 ≤
𝑥
< 8.20.10
atlassianjira_data_center
8.21.0 ≤
𝑥
< 8.22.4
atlassianjira_server
8.0.0 ≤
𝑥
< 8.13.22
atlassianjira_server
8.14.0 ≤
𝑥
< 8.20.10
atlassianjira_server
8.21.0 ≤
𝑥
< 8.22.4
atlassianjira_service_desk
4.0.0 ≤
𝑥
< 4.13.22
atlassianjira_service_desk
4.0.0 ≤
𝑥
< 4.13.22
atlassianjira_service_management
4.14.0 ≤
𝑥
< 4.20.10
atlassianjira_service_management
4.14.0 ≤
𝑥
< 4.20.10
atlassianjira_service_management
4.21.0 ≤
𝑥
< 4.22.4
atlassianjira_service_management
4.21.0 ≤
𝑥
< 4.22.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022
https://jira.atlassian.com/browse/JRASERVER-73863
https://jira.atlassian.com/browse/JSDSERVER-11840
https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022
https://jira.atlassian.com/browse/JRASERVER-73863
https://jira.atlassian.com/browse/JSDSERVER-11840