Vulnerability in Atlassian Jira Core Server
CVE-2022-26135
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affect…
EPSS: 0.840 (99.3th percentile) — read the EPSS interpretation.
Affected products
- Atlassian Jira Core Server — versions 8.0.0, unspecified, 8.14.0
- Atlassian Jira Service Management Data Center — versions 4.0.0, unspecified, 4.14.0
- Atlassian Jira Service Management Server — versions 4.0.0, unspecified, 4.14.0
- Atlassian Jira Software Data Center — versions 8.0.0, unspecified, 8.14.0
- Atlassian Jira Software Server — versions 8.0.0, unspecified, 8.14.0
Public proof-of-concept exploits
References
- jira.atlassian.com/browse/JRASERVER-73863 (x_refsource_MISC)
- jira.atlassian.com/browse/JSDSERVER-11840 (x_refsource_MISC)
- confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-26135?
- CVE-2022-26135 is a vulnerability in Atlassian Jira Core Server. Published 2022-06-30.
- Is CVE-2022-26135 known to be exploited?
- 22 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.