Contents
Jira Mobile - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server - CVE-2022-26135
Dear customer,
on the 29th of June 2022 7PM CEST, Atlassian issued a Security Advisory for Jira Server & Jira Data Center. The Cloud versions of the applications as well as other Atlassian products are not affected.
What you need to know
A full-read server-side request forgery exists in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management. It is exploitable by any authenticated user (including a user who joined via the sign-up feature). It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.
Affected Versions
Jira Core Server, Jira Software Server, and Jira Software Data Center:
Versions after 8.0 and before 8.13.22
8.14.x
8.15.x
8.16.x
8.17.x
8.18.x
8.19.x
8.20.x before 8.20.10
8.21.x
8.22.x before 8.22.4
Jira Service Management Server and Data Center:
Versions after 4.0 and before 4.13.22
4.14.x
4.15.x
4.16.x
4.17.x
4.18.x
4.19.x
4.20.x before 4.20.10
4.21.x
4.22.x before 4.22.4
What should I do?
You use Jira Server or Jira Data Center
Update
To address this issue, Atlassian released:
Jira Core Server, Jira Software Server, and Jira Software Data Center versions:
8.13.22
8.20.10
8.22.4
9.0.0
Jira Service Management Server and Data Center versions:
4.13.22
4.20.10
4.22.4
5.0.0
You can download the latest versions from the download pages for Jira Core, Jira Software, or Jira Service Management.
Please note, these are the first versions that include the fix for CVE-2022-26135. More current bug fix releases are available for the releases listed above. Atlassian recommends upgrading to the most current bug fix version.
Mitigation
Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-26135. If you are unable to immediately upgrade Jira or Jira Service Management, then as a temporary workaround, you can manually upgrade Mobile Plugin for Jira Data Center and Server (com.atlassian.jira.mobile.jira-mobile-rest) to the versions specified in this section (or disable the plugin). Depending on which version of Jira you have, the app might not be listed under "user-installed" apps. if so, check for it under "System" apps. It might also have different name in this case look for the app with the App Key com.atlassian.jira.mobile.jira-mobile-rest.
The following versions of the Mobile Plugin for Jira app contain a fix for this issue:
3.1.5 (compatible with Jira 8.13.x and JSM 4.13.x)
3.2.15 (compatible with Jira 8.20.x and 8.22.x, compatible with JSM 4.20.x and 4.22.x)
You use Jira Cloud
You are not affected by this Security Advisory.
No need for action.
You use Jira Server or Jira Data Center on servers operated by bitvoodoo
Mitigation
The mitigation has been implemented to secure instances hosted on the bitvoodoo cloud. We have disabled the app on the instances where an update, due to the installed version of Jira, was not possible.
Update
LTS Update Package Customers will get contacted to discuss the need of an update.
Support
If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.