CVE-2022-26135

A high severity vulnerability, CVE-2022-26135, has been discovered in Jira’s Mobile Plugin for Jira app. The vulnerability allows a remote, authenticated user to perform a full read server-side request forgery via a batch endpoint. This vulnerability affects Jira Data Center and Server versions.

The vulnerability, discovered in June 2022, is a Full Read SSRF vulnerability that allows an authenticated user to perform a full read server-side request forgery via a batch endpoint. This vulnerability can be exploited by a remote attacker to read arbitrary files and execute arbitrary code on the server. The vulnerability is considered high severity, with a CVSS score of 8.1.

Jira Data Center and Server versions are affected by this vulnerability. Jira Cloud is not affected. Atlassian has released fixed versions of Jira Data Center and Server to address the vulnerability. The company has also provided mitigation steps for users who cannot upgrade to the fixed versions.

Key Takeaways

  • CVE-2022-26135 is a high severity vulnerability in Jira’s Mobile Plugin for Jira app that allows a remote, authenticated user to perform a full read server-side request forgery via a batch endpoint.
  • The vulnerability affects Jira Data Center and Server versions but not Jira Cloud.
  • Atlassian has released fixed versions of Jira Data Center and Server to address the vulnerability and provided mitigation steps for users who cannot upgrade.

Understanding CVE-2022-26135

CVE-2022-26135 is a vulnerability that affects the Mobile Plugin for Jira Data Center and Server. This vulnerability allows a remote, authenticated user to perform a full read server-side request forgery via a batch endpoint. This vulnerability affects Atlassian Jira Server and Data Center from version 8.0.0 before 8.17.0 and from version 8.18.0 before 8.19.0.

Vulnerabilities like CVE-2022-26135 can be discovered by security researchers, ethical hackers, or even malicious actors. Once a vulnerability is discovered, it is important to report it to the affected vendor so that they can develop a patch or fix to address the issue.

In the case of CVE-2022-26135, Atlassian has released a security advisory and has provided a fix for affected versions. It is important for users of Atlassian Jira Server and Data Center to update their software to the latest version to ensure that they are protected against this vulnerability.

CVE-2022-26135 is a serious vulnerability that can potentially be exploited by attackers to gain unauthorized access to sensitive information. It is important for organizations to stay vigilant and keep their software up to date to protect against such vulnerabilities.

Affected Software and Versions

The CVE-2022-26135 vulnerability affects several versions of Jira Server and Data Center, as well as the Mobile Plugin for Jira and other Atlassian products. The vulnerability could allow an attacker to execute arbitrary code on a vulnerable system.

Jira Server and Data Center

Jira Server and Data Center versions from 8.0.0 before 8.13.22, from 8.14.0 before 8.20.12, and from 8.21.0 before 8.22.6 are affected by the CVE-2022-26135 vulnerability.

Mobile Plugin for Jira

The Mobile Plugin for Jira is affected by the CVE-2022-26135 vulnerability. Users should update to the latest version of the plugin as soon as possible to mitigate the risk of exploitation.

Atlassian Products

Other Atlassian products may also be affected by the CVE-2022-26135 vulnerability. Users should check with Atlassian or review the security advisory to determine if their product is affected.

Jira Data Center and Jira Management Server

Jira Data Center and Jira Management Server versions from 4.0.0 before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4 are also affected by the CVE-2022-26135 vulnerability.

Affected Versions

The following versions of Jira Server, Data Center, and Jira Management Server are affected by the CVE-2022-26135 vulnerability:

  • Jira Server and Data Center versions from 8.0.0 before 8.13.22, from 8.14.0 before 8.20.12, and from 8.21.0 before 8.22.6
  • Jira Data Center and Jira Management Server versions from 4.0.0 before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4

Mobile Plugin for Jira Data Center

The Mobile Plugin for Jira Data Center is affected by the CVE-2022-26135 vulnerability. Users should update to the latest version of the plugin as soon as possible to mitigate the risk of exploitation.

Atlassian Jira Server

Atlassian Jira Server versions from 8.0.0 before 8.13.22, from 8.14.0 before 8.20.12, and from 8.21.0 before 8.22.6 are affected by the CVE-2022-26135 vulnerability.

Mobile Plugin

The Mobile Plugin for Jira is affected by the CVE-2022-26135 vulnerability. Users should update to the latest version of the plugin as soon as possible to mitigate the risk of exploitation.

Mobile Plugin for Jira Data Center

The Mobile Plugin for Jira Data Center is affected by the CVE-2022-26135 vulnerability. Users should update to the latest version of the plugin as soon as possible to mitigate the risk of exploitation.

Atlassian Jira

Atlassian Jira versions from 8.0.0 before 8.13.22, from 8.14.0 before 8.20.12, and from 8.21.0 before 8.22.6 are affected by the CVE-2022-26135 vulnerability.

Atlassian

Atlassian products may also be affected by the CVE-2022-26135 vulnerability. Users should check with Atlassian or review the security advisory to determine if their product is affected.

Details of the Vulnerability

The CVE-2022-26135 vulnerability is a server-side request forgery (SSRF) vulnerability found in the Mobile Plugin for Jira Data Center and Server. This vulnerability allows a remote, authenticated user, including a user who joined via the sign-up feature, to perform a full read server-side request forgery via a batch endpoint.

Server-Side Request Forgery

Server-side request forgery (SSRF) is a type of vulnerability that allows an attacker to send requests from a vulnerable server to other internal or external servers. This vulnerability can be exploited to access sensitive information or perform unauthorized actions on behalf of the vulnerable server.

Role of Authenticated User

The authenticated user plays a crucial role in exploiting this vulnerability. An authenticated user, including a user who joined via the sign-up feature, can perform a full read server-side request forgery via a batch endpoint. This means that an attacker can use the authenticated user’s credentials to make requests to other internal or external servers and access sensitive information.

Significance of Batch Endpoint

The batch endpoint is a critical component in exploiting this vulnerability. The batch endpoint is responsible for processing multiple requests in a single call. An attacker can use the batch endpoint to make multiple requests to other internal or external servers and access sensitive information.

The CWE-918 vulnerability classification has been assigned to this vulnerability, which is the category for server-side request forgery. The severity of this vulnerability is rated as high, with a CVSS score of 8.1.

In conclusion, CVE-2022-26135 is a severe vulnerability that can be exploited by a remote, authenticated user to perform a full read server-side request forgery via a batch endpoint. The vulnerability highlights the importance of securing batch endpoints and ensuring that users’ credentials are protected.

Fixed Versions and Mitigation

Atlassian has released fixed versions for CVE-2022-26135 that include Jira Core Server, Jira Software Server, and Jira Software Data Center. The surest way to remediate the vulnerability is to install a fixed version listed in the security advisory. Once a fixed version has been installed, no further action is required.

Jira Server and Data Center

Fixed versions for Jira Server and Data Center include:

VersionFixed Version
8.0.08.13.22
8.14.08.20.10
8.21.08.22.4
9.0.0

Customers running Jira Management Server 4.x should upgrade to version 4.21.0, which contains a fix for the vulnerability.

Mobile Plugin for Jira

The Mobile Plugin for Jira app is affected by CVE-2022-26135. Fixed versions include:

VersionFixed Version
4.0.04.14.0
4.21.0

Customers running Mobile Plugin for Jira Data Center should upgrade to version 4.21.0, which contains a fix for the vulnerability.

It is important to note that simply updating the affected plugin is a much smaller codebase to look through and can be analyzed for vulnerabilities.

Atlassian provided mitigation details, which include installing a fixed version of Jira or Jira Service Management. This is the surest way to remediate CVE-2022-26135.

Frequently Asked Questions

What is the impact of CVE 2022 26135 on Jira?

CVE 2022 26135 is a high severity vulnerability that affects Jira’s Mobile Plugin for Jira app. It allows a remote authenticated user to perform a full read server-side request forgery via a batch endpoint. This vulnerability could potentially allow an attacker to access sensitive information or execute arbitrary code on the affected system.

How can I check if my system is vulnerable to CVE 2022 26135?

To check if your system is vulnerable to CVE 2022 26135, you should review the affected versions of Jira’s Mobile Plugin for Jira app. Atlassian has released a security advisory that outlines the affected versions.

What steps can I take to mitigate the CVE 2022 26135 vulnerability?

To mitigate the CVE 2022 26135 vulnerability, you should upgrade to a fixed version of Jira’s Mobile Plugin for Jira app. Atlassian has released a security advisory that includes information on the fixed versions.

Are there any known exploits for CVE 2022 26135?

There are no known exploits for CVE 2022 26135 at this time. However, it is important to take the necessary steps to mitigate the vulnerability as soon as possible.

What is the difference between CVE 2022 26135 and CVE 2022 26134?

CVE 2022 26135 and CVE 2022 26134 are both vulnerabilities that affect Jira’s Mobile Plugin for Jira app. However, they are different vulnerabilities with different impacts and mitigation steps.

What other vulnerabilities are associated with CVE 2022 26135?

There are no other known vulnerabilities associated with CVE 2022 26135 at this time. However, it is important to regularly review security advisories and updates from Atlassian to stay up-to-date on any potential vulnerabilities or threats.