CVE-2022-26135
Published: 30 June 2022
Summary
CVE-2022-26135 is a medium-severity SSRF (CWE-918) vulnerability in Atlassian Jira Service Management. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability in the Mobile Plugin for Jira Data Center and Server permits server-side request forgery through a batch endpoint. The flaw affects Atlassian Jira Server and Data Center versions 8.0.0 through 8.13.21, 8.14.0 through 8.20.9, and 8.21.0 through 8.22.3, as well as Jira Service Management Server and Data Center versions 4.0.0 through 4.13.21, 4.14.0 through 4.20.9, and 4.21.0 through 4.22.3. It is tracked as CWE-918 with a CVSS 3.1 score of 6.5.
A remote authenticated attacker, including any user who registers through the self-service sign-up feature, can exploit the issue to issue arbitrary server-side requests and retrieve full responses. This grants the attacker high-impact read access to internal resources that would otherwise be unreachable from outside the network.
Atlassian has published security advisories and corresponding Jira tickets that identify the fixed releases and direct administrators to upgrade affected instances. The listed patched versions are 8.13.22, 8.20.10, and 8.22.4 for Jira Server/Data Center and the equivalent 4.13.22, 4.20.10, and 4.22.4 releases for Jira Service Management.
The CVE carries an EPSS score that reached a peak of 0.9027 and currently stands at 0.8400, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30702
Vulnerability details
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian…
more
Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.