bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This is a public space:

For the draft, please restrict the page during creation and
remove this warning when page is published


Contents

Date

 

Product

Jira:

  • Jira Core Server

  • Jira Software Server

  • Jira Software Data Center

Jira Service Management (JSM):

  • Jira Service Management Server

  • Jira Service Management Data Center

VulnerabilityHigh
CVECVE-2022-26135
Official linkTBU Atlassian Partners Advisory 2022-06-29

Jira Mobile - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server - CVE-2022-26135

CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server

Dear customer,

on the 30th of June 2022  1AM CEST, Atlassian issued a Security Advisory for Jira Server & Jira Data Center. The Cloud versions of the applications as well as other Atlassian products are not affected.

What you need to know

A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.

Affected Versions

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • Versions after 8.0 and before 8.13.22

  • 8.14.x

  • 8.15.x

  • 8.16.x

  • 8.17.x

  • 8.18.x

  • 8.19.x

  • 8.20.x before 8.20.10

  • 8.21.x

  • 8.22.x before 8.22.4

Jira Service Management Server and Data Center:

  • Versions after 4.0 and before 4.13.22

  • 4.14.x

  • 4.15.x

  • 4.16.x

  • 4.17.x

  • 4.18.x

  • 4.19.x

  • 4.20.x before 4.20.10

  • 4.21.x

  • 4.22.x before 4.22.4

What should I do?

You use Jira Server or Jira Data Center 

Update

Currently there is no fixed version, as soon as Atlassian releases a new version, we will update this page.

Workaround

There are currently no fixed versions of Confluence Server and Confluence Data Center available. In the interim, customers should work with their security team to consider the best course of action. Options to consider include:

  • Restricting access to Confluence Server and Data Center instances from the internet.

  • Disabling Confluence Server and Data Center instances.

If you are unable to take the above actions implementing a WAF (Web Application Firewall) rule which blocks URLs containing ${ may reduce your risk.

This advisory will be updated as fixes become available..

You use Confluence Cloud

You are not affected by this Security Advisory.

No need for action.


You use Confluence Server or Confluence Data Center 

Update

Currently there is no fixed version, as soon as Atlassian releases a new version, we will update this page and we will inform affected customers.

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

Workaround

A workaround has been implemented to secure instances hosted on the bitvoodoo cloud. We will update the instances as soon as the fixed version is available.

Fix

To address this issue, we have released:

  • Jira Core Server, Jira Software Server, and Jira Software Data Center versions:

    • 8.13.22

    • 8.20.10

    • 8.22.4 

    • 9.0.0

  • Jira Service Management Server and Data Center versions:

    • 4.13.22

    • 4.20.10

    • 4.22.4 

    • 5.0.0

You can download the latest versions from the download pages for Jira Core, Jira Software, or Jira Service Management.

Please note, these are the first versions that include the fix for CVE-2022-26135. More current bug fix releases are available for the releases listed above. Atlassian recommends upgrading to the most current bug fix version.

Mitigation

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-26135. If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade Mobile Plugin for Jira Data Center and Server (com.atlassian.jira.mobile.jira-mobile-rest) to the versions specified in this section (or disable the plugin). Depending on which version of Jira you have, the app might not be listed under "user-installed" apps. if so, check for it under "System" apps. It might also have different name in this case look for the app with the App Key com.atlassian.jira.mobile.jira-mobile-rest.

The following versions of the Mobile Plugin for Jira app contain a fix for this issue:

  • 3.1.5 (compatible with Jira 8.13.x and JSM 4.13.x)

  • 3.2.15 (compatible with Jira 8.20.x and 8.22.x, compatible with JSM 4.20.x and 4.22.x)



  • No labels
bitvoodoo Advisories BVADVIS