Cyber Resilience

CVE-2022-26135

Medium

Published: 30 June 2022

Published
30 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8400 99.3th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26135 is a medium-severity SSRF (CWE-918) vulnerability in Atlassian Jira Service Management. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability in the Mobile Plugin for Jira Data Center and Server permits server-side request forgery through a batch endpoint. The flaw affects Atlassian Jira Server and Data Center versions 8.0.0 through 8.13.21, 8.14.0 through 8.20.9, and 8.21.0 through 8.22.3, as well as Jira Service Management Server and Data Center versions 4.0.0 through 4.13.21, 4.14.0 through 4.20.9, and 4.21.0 through 4.22.3. It is tracked as CWE-918 with a CVSS 3.1 score of 6.5.

A remote authenticated attacker, including any user who registers through the self-service sign-up feature, can exploit the issue to issue arbitrary server-side requests and retrieve full responses. This grants the attacker high-impact read access to internal resources that would otherwise be unreachable from outside the network.

Atlassian has published security advisories and corresponding Jira tickets that identify the fixed releases and direct administrators to upgrade affected instances. The listed patched versions are 8.13.22, 8.20.10, and 8.22.4 for Jira Server/Data Center and the equivalent 4.13.22, 4.20.10, and 4.22.4 releases for Jira Service Management.

The CVE carries an EPSS score that reached a peak of 0.9027 and currently stands at 0.8400, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian…

more

Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
jira data center
8.0.0 — 8.13.22 · 8.14.0 — 8.20.10 · 8.21.0 — 8.22.4
atlassian
jira server
8.0.0 — 8.13.22 · 8.14.0 — 8.20.10 · 8.21.0 — 8.22.4
atlassian
jira service desk
4.0.0 — 4.13.22 · 4.0.0 — 4.13.22
atlassian
jira service management
4.14.0 — 4.20.10 · 4.14.0 — 4.20.10 · 4.21.0 — 4.22.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References