Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-26135

Disclosure Date: June 29, 2022 •

CVE-2022-26135 CVSS v3 Base Score: 6.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

6.5 Medium

Impact Score:

3.6

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Jira Core Server 8.0.0

Jira Core Server 8.13.22

Jira Core Server 8.14.0

Jira Core Server 8.20.10

Jira Core Server 8.21.0

Jira Core Server 8.22.4

Jira Software Server 8.0.0

Jira Software Server 8.13.22

Jira Software Server 8.14.0

Jira Software Server 8.20.10

Jira Software Server 8.21.0

Jira Software Server 8.22.4

Jira Software Data Center 8.0.0

Jira Software Data Center 8.13.22

Jira Software Data Center 8.14.0

Jira Software Data Center 8.20.10

Jira Software Data Center 8.21.0

Jira Software Data Center 8.22.4

Jira Service Management Server 4.0.0

Jira Service Management Server 4.13.22

Jira Service Management Server 4.14.0

Jira Service Management Server 4.20.10

Jira Service Management Server 4.21.0

Jira Service Management Server 4.22.4

Jira Service Management Data Center 4.0.0

Jira Service Management Data Center 4.13.22

Jira Service Management Data Center 4.14.0

Jira Service Management Data Center 4.20.10

Jira Service Management Data Center 4.21.0

Jira Service Management Data Center 4.22.4

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

atlassian

Products

References

Canonical

CVE-2022-26135 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26135)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

jira-mobile-ssrf-exploit (https://github.com/assetnote/jira-mobile-ssrf-exploit) (Added by AKB Worker)

CVE-2022-26135 (https://github.com/safe3s/CVE-2022-26135) (Added by AKB Worker)

Miscellaneous

https://jira.atlassian.com/browse/JRASERVER-73863

https://jira.atlassian.com/browse/JSDSERVER-11840

https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022

Rapid7

Unknown

CVE-2022-26135

Unknown

Unknown

None

Low

Network

CVE-2022-26135

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2022-26135

Unknown

Unknown

None

Low

Network

CVE-2022-26135

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification