Summary

Vulnerable plugins, add-ons, extensions, and default settings are accountable for a high rate of application and website compromise. One such vulnerability has been reported in Jira - CVE-2022-26135. It has been classified as critical. A full-read server-side request forgery (SSRF) exists in Mobile Plugin for Jira, which is a plugin at Atlassian marketplace which enables Jira mobile app can connect to the server. However, this vulnerability does not affect the Mobile Application, rather it is a vulnerability on the Web Application.

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, and it does not sufficiently ensure that the request is being sent to the expected destination.

The vulnerability is exploitable by any unauthenticated user (including a user who joined via the sign-up feature). This makes the vulnerability a high severity issue.

Solution

If your site is hosted by Atlassian, then you are not affected by the vulnerability. Upgrading to version 4.13.22, 4.20.10, 4.22.4, 8.13.22, 8.20.10 or 8.22.4 fixes this vulnerability.

If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade the Mobile Plugin to the version specified in Jira Advisory linked in resources section.

If not even that, you should disable this plug in, which will stop Jira mobile app access to your Jira instance.

CVEs

CVE-2022-26135

Related CWEs

CWE-918: Server-Side Request Forgery (SSRF)

Resources

Jira Server Security Advisory 29nd June 2022
• CERT In Vulnerability Note

Authors: Narendra Kumawat, Mahesh Saptarshi

For more information contact:contact@cybersecurist.com