Manufacturer Atlassian warns of a security hole in Jira project management software. She finds herself in that Mobile plugin for Jira and enables a so-called forgery of server-side full read requests. Attackers could use it to spy on logins, among other things.
Atlassian explains that the vulnerability can be exploited by attackers who can gain access to the system, including those who have gained access via the registration facility. The underlying flaw is in the HTTP endpoint used by the mobile plug-in for Jira. Attackers could influence the HTTP method and the location of the desired URL with the associated method parameters (CVE-2022-26135, risk “hoch“).
Effects: It depends …
Server Side Request Forgeries (SSRF) of this type allow attackers to use some sort of redirect to access effectively protected and inaccessible systems in a network that cannot be reached directly. Depending on the environment in which the vulnerable Jira instance was configured, the potential impact of the bug also varies.
In a security notification, Atlassian explains that, for example, when installing in an AWS environment, sensitive logins may be accessible. This could then do more damage. The manufacturer explains that this is his assessment and that interested administrators should evaluate the application in their IT environment.
From the vulnerability, Jira Server and Data Center have the advantage 8.13.22von 8.14.0 bis 8.20.9 and from 8.21.0 bis 8.22.3 wanted. Jira Service Management Server and Data Center are also available 4.13.22von 4.14.0 bis 4.20.9 and from 4.21.0 bis 4.22.3 susceptible. Atlassian fills the gaps with releases 8.13.22, 20.8.10, 8.22.4 how 9.0.0 also of the Jira server or the data center 4.13.22, 4.20.10, 4.22.4 or 5.0.0 of Jira Service Management Server or Data Center. Atlassian reports that Jira Cloud and Jira Service Management Cloud are not affected by the bug.
If the software cannot be updated quickly, administrators can first deactivate the mobile plug-in for Jira or update it individually. A Jira Vulnerability FAQ that Atlassian has published provides information on this.