CVE-2022-26135: SSRF
First published: Thu Jun 30 2022(Updated: )
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
Credit: security@atlassian.com security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Jira Data Center | >=8.0.0<8.13.22 | |
| Atlassian Jira Data Center | >=8.14.0<8.20.10 | |
| Atlassian Jira Data Center | >=8.21.0<8.22.4 | |
| Atlassian Jira Server | >=8.0.0<8.13.22 | |
| Atlassian Jira Server | >=8.14.0<8.20.10 | |
| Atlassian Jira Server | >=8.21.0<8.22.4 | |
| Atlassian Jira Service Desk | >=4.0.0<4.13.22 | |
| Atlassian Jira Service Desk | >=4.0.0<4.13.22 | |
| Atlassian Jira Service Management | >=4.14.0<4.20.10 | |
| Atlassian Jira Service Management | >=4.14.0<4.20.10 | |
| Atlassian Jira Service Management | >=4.21.0<4.22.4 | |
| Atlassian Jira Service Management | >=4.21.0<4.22.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2022-26135.
What is the severity of CVE-2022-26135?
The severity of CVE-2022-26135 is medium with a CVSS score of 6.5.
Which products are affected by CVE-2022-26135?
Atlassian Jira Server and Data Center versions 8.0.0 to 8.22.4, Atlassian Jira Service Desk versions 4.0.0 to 4.13.22, and Atlassian Jira Service Management versions 4.14.0 to 4.22.4 are affected by CVE-2022-26135.
How can a remote authenticated user exploit CVE-2022-26135?
A remote authenticated user can exploit CVE-2022-26135 by performing a full read server-side request forgery via a batch endpoint.
Are there any patches or fixes available for CVE-2022-26135?
Yes, patches and fixes are available for CVE-2022-26135. It is recommended to update to the latest version of the affected Atlassian products.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/atlassian
- canonical/atlassian jira data center
- version/atlassian jira data center/8.0.0
- version/atlassian jira data center/8.14.0
- version/atlassian jira data center/8.21.0
- canonical/atlassian jira server
- version/atlassian jira server/8.0.0
- version/atlassian jira server/8.14.0
- version/atlassian jira server/8.21.0
- canonical/atlassian jira service desk
- version/atlassian jira service desk/4.0.0
- canonical/atlassian jira service management
- version/atlassian jira service management/4.14.0
- version/atlassian jira service management/4.21.0