CVE-2022-26135

6.5MEDIUM

Key Information

Vendor: Atlassian
Status: Jira Core Server; Jira Software Server; Jira Software Data Center; Jira Service Management Server
Vendor: CVE Published:; 30 June 2022

Badges

👾 Exploit Exists🔴 Public PoC

Summary

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Affected Version(s)

Jira Core Server < 8.0.0

Jira Core Server < 8.13.22

Jira Core Server < 8.14.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

jira-mobile-ssrf-exploit
Created by assetnote

CVE-2022-26135
Created by safe3s

EPSS Score

2% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Oct 30, 2024
Vulnerability published.
Jun 30, 2022
Vulnerability Reserved.
Feb 25, 2022

Collectors

NVD DatabaseMitre Database2 Proof of Concept(s)