This is a public space:

For the draft, please restrict the page during creation and
remove this warning when page is published



Contents


Inhalte


Contenu



Date

 

Product

Jira:

  • Jira Core Server

  • Jira Software Server

  • Jira Software Data Center

Jira Service Management (JSM):

  • Jira Service Management Server

  • Jira Service Management Data Center

VulnerabilityHigh
CVECVE-2022-26135
Official linkTBU Atlassian Partners Advisory 2022-06-29



Jira Mobile - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server - CVE-2022-26135


Dear customer,

on the 30th of June 2022  1AM CEST, Atlassian issued a Security Advisory for Jira Server & Jira Data Center. The Cloud versions of the applications as well as other Atlassian products are not affected.

What you need to know

A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.

Affected Versions

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • Versions after 8.0 and before 8.13.22

  • 8.14.x

  • 8.15.x

  • 8.16.x

  • 8.17.x

  • 8.18.x

  • 8.19.x

  • 8.20.x before 8.20.10

  • 8.21.x

  • 8.22.x before 8.22.4

Jira Service Management Server and Data Center:

  • Versions after 4.0 and before 4.13.22

  • 4.14.x

  • 4.15.x

  • 4.16.x

  • 4.17.x

  • 4.18.x

  • 4.19.x

  • 4.20.x before 4.20.10

  • 4.21.x

  • 4.22.x before 4.22.4

What should I do?


You use Jira Server or Jira Data Center 

Update

To address this issue, we have released:

  • Jira Core Server, Jira Software Server, and Jira Software Data Center versions:

    • 8.13.22

    • 8.20.10

    • 8.22.4 

    • 9.0.0

  • Jira Service Management Server and Data Center versions:

    • 4.13.22

    • 4.20.10

    • 4.22.4 

    • 5.0.0

You can download the latest versions from the download pages for Jira Core, Jira Software, or Jira Service Management.

Please note, these are the first versions that include the fix for CVE-2022-26135. More current bug fix releases are available for the releases listed above. Atlassian recommends upgrading to the most current bug fix version.

Mitigation

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-26135. If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade Mobile Plugin for Jira Data Center and Server (com.atlassian.jira.mobile.jira-mobile-rest) to the versions specified in this section (or disable the plugin). Depending on which version of Jira you have, the app might not be listed under "user-installed" apps. if so, check for it under "System" apps. It might also have different name in this case look for the app with the App Key com.atlassian.jira.mobile.jira-mobile-rest.

The following versions of the Mobile Plugin for Jira app contain a fix for this issue:

  • 3.1.5 (compatible with Jira 8.13.x and JSM 4.13.x)

  • 3.2.15 (compatible with Jira 8.20.x and 8.22.x, compatible with JSM 4.20.x and 4.22.x)


You use Jira Cloud

You are not affected by this Security Advisory.

No need for action.



You use Jira Server or Jira Data Center 

Update

LTS Update Package Customers will get an update to the latest LTS release free of charge as soon as possible.

Mitigation

The mitigation has been implemented to secure instances hosted on the bitvoodoo cloud. We will update the instances as soon as possible



Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.


if wanted add translations in german or/and french with the according language macro