CVE-2022-26135 — MEDIUM (6.5)

Q: How severe is CVE-2022-26135?

CVE-2022-26135 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-26135?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Jira Data Center, Atlassian Jira Server, Atlassian Jira Service Desk, Atlassian Jira Service Management.

Vulnerability Description

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Atlassian	Jira Data Center	>= 8.0.0, < 8.13.22
Atlassian	Jira Server	>= 8.0.0, < 8.13.22
Atlassian	Jira Service Desk	>= 4.0.0, < 4.13.22
Atlassian	Jira Service Management	>= 4.14.0, < 4.20.10

Related Weaknesses (CWE)

CWE-918

References

https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29ndMitigationVendor Advisory
https://jira.atlassian.com/browse/JRASERVER-73863Vendor Advisory
https://jira.atlassian.com/browse/JSDSERVER-11840Vendor Advisory
https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29ndMitigationVendor Advisory
https://jira.atlassian.com/browse/JRASERVER-73863Vendor Advisory
https://jira.atlassian.com/browse/JSDSERVER-11840Vendor Advisory

FAQ

What is CVE-2022-26135?

CVE-2022-26135 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request fo...

How severe is CVE-2022-26135?

CVE-2022-26135 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-26135?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Jira Data Center, Atlassian Jira Server, Atlassian Jira Service Desk, Atlassian Jira Service Management.