High Severity Alert: Server Side Request Forgery in Mobile Plugin for Jira Server and DC

Summary
CVE-2022-26135 – Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server
Advisory Release Date 29 June 2022 10:00 AM PDT (Pacific Time, -7 hours)
Affected Products

Jira:

  • Jira Core Server

  • Jira Software Server

  • Jira Software Data Center

Jira Service Management (JSM):

  • Jira Service Management Server

  • Jira Service Management Data Center

Affected Versions

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • Versions after 8.0 and before 8.13.22

  • 8.14.x

  • 8.15.x

  • 8.16.x

  • 8.17.x

  • 8.18.x

  • 8.19.x

  • 8.20.x before 8.20.10

  • 8.21.x

  • 8.22.x before 8.22.4

Jira Service Management Server and Data Center:

  • Versions after 4.0 and before 4.13.22

  • 4.14.x

  • 4.15.x

  • 4.16.x

  • 4.17.x

  • 4.18.x

  • 4.19.x

  • 4.20.x before 4.20.10

  • 4.21.x

  • 4.22.x before 4.22.4

Jira Cloud and Jira Service Management Cloud are not affected.

Fixed Versions

Jira Core Server, Jira Software Server, and Jira Software Data Center:

  • 8.13.x >= 8.13.22

  • 8.20.x >= 8.20.10

  • 8.22.x >= 8.22.4

  • 9.0.0

Jira Service Management Server and Data Center:

  • 4.13.x >= 4.13.22

  • 4.20.x >= 4.20.10

  • 4.22.x >= 4.22.4

  • 5.0.0

CVE ID(s) CVE-2022-26135

Summary of Vulnerability

This advisory discloses a high severity security vulnerability.

Jira Server and Data Center versions before 8.13.22, from version 8.14.0 before 8.20.10, and from version 8.21.0 before 8.22.4 are affected by this vulnerability.

Jira Service Management Server and Data Center versions before 4.13.22, from version 4.14.0 before 4.20.10, and from version 4.21.0 before 4.22.4 are affected by this vulnerability.

Atlassian Cloud sites are not affected.

If your Jira site is accessed via an atlassian.net domain, you are not affected by the vulnerability.

Customers who have upgraded to version 8.13.22, 8.20.10, 8.22.4, or 9.0.0 of Jira Server or Data Center are not affected.

Customers who have upgraded to version 4.13.22, 4.20.10, 4.22.4, or 5.0.0 of Jira Service Management Server or Data Center are not affected.

Customers who have downloaded and installed any versions listed in affected versions must upgrade their installations to fix this vulnerability.

Please upgrade your installations immediately.

Description

A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.

All versions of Jira and Jira Service Management prior to the fixed version listed above are affected by this vulnerability.

Fix

To address this issue, Atlassian has released:

  • Jira Core Server, Jira Software Server, and Jira Software Data Center versions:

    • 8.13.22

    • 8.20.10

    • 8.22.4

    • 9.0.0

  • Jira Service Management Server and Data Center versions:

    • 4.13.22

    • 4.20.10

    • 4.22.4

    • 5.0.0

You can download the latest versions from the download pages for Jira Core, Jira Software, or Jira Service Management.

Please note, these are the first versions that include the fix for CVE-2022-26135. More current bug fix releases are available for the releases listed above. Atlassian recommends upgrading to the most current bug fix version.

Mitigation

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-26135. If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade Mobile Plugin for Jira Data Center and Server (com.atlassian.jira.mobile.jira-mobile-rest) to the versions specified in this section (or disable the plugin).

The following versions of the Mobile Plugin for Jira app contain a fix for this issue:

  • 3.1.5 (compatible with Jira 8.13.x and JSM 4.13.x)

  • 3.2.15 (compatible with Jira 8.20.x and 8.22.x, compatible with JSM 4.20.x and 4.22.x)

Need Help With This?

Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

JRASERVER-73863

JSDSERVER-11840