CVE-2022-26135

EPSS 90.27%
Veröffentlicht 30.06.2022 06:15:07
Zuletzt bearbeitet 21.11.2024 06:53:30
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Jira Data Center Version >= 8.0.0 < 8.13.22

Atlassian ≫ Jira Data Center Version >= 8.14.0 < 8.20.10

Atlassian ≫ Jira Data Center Version >= 8.21.0 < 8.22.4

Atlassian ≫ Jira Server Version >= 8.0.0 < 8.13.22

Atlassian ≫ Jira Server Version >= 8.14.0 < 8.20.10

Atlassian ≫ Jira Server Version >= 8.21.0 < 8.22.4

Atlassian ≫ Jira Service Desk SwEditiondata_center Version >= 4.0.0 < 4.13.22

Atlassian ≫ Jira Service Desk SwEditionserver Version >= 4.0.0 < 4.13.22

Atlassian ≫ Jira Service Management SwEditiondata_center Version >= 4.14.0 < 4.20.10

Atlassian ≫ Jira Service Management SwEditionserver Version >= 4.14.0 < 4.20.10

Atlassian ≫ Jira Service Management SwEditiondata_center Version >= 4.21.0 < 4.22.4

Atlassian ≫ Jira Service Management SwEditionserver Version >= 4.21.0 < 4.22.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	90.27%	0.996

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022

Vendor Advisory

Mitigation

https://jira.atlassian.com/browse/JRASERVER-73863

Vendor Advisory

https://jira.atlassian.com/browse/JSDSERVER-11840

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26135

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26135

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26135

EUVD