Summary
Vulnerable plugins, add-ons, extensions, and default settings are accountable for a high rate of application and website compromise. One such vulnerability has been reported in Jira - CVE-2022-26135. It has been classified as critical. A full-read server-side request forgery (SSRF) exists in Mobile Plugin for Jira, which is a plugin at Atlassian marketplace which enables Jira mobile app can connect to the server. However, this vulnerability does not affect the Mobile Application, rather it is a vulnerability on the Web Application.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, and it does not sufficiently ensure that the request is being sent to the expected destination.
The vulnerability is exploitable by any unauthenticated user (including a user who joined via the sign-up feature). This makes the vulnerability a high severity issue.
Solution
If your site is hosted by Atlassian, then you are not affected by the vulnerability. Upgrading to version 4.13.22, 4.20.10, 4.22.4, 8.13.22, 8.20.10 or 8.22.4 fixes this vulnerability.
If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade the Mobile Plugin to the version specified in Jira Advisory linked in resources section.
If not even that, you should disable this plug in, which will stop Jira mobile app access to your Jira instance.
CVEs
CVE-2022-26135
Related CWEs
CWE-918: Server-Side Request Forgery (SSRF)
Resources
- Jira Server Security Advisory 29nd June 2022
- CERT In Vulnerability Note
Authors: Narendra Kumawat, Mahesh Saptarshi
For more information contact:contact@cybersecurist.com