Advisory: Server Side Request Forgery in Jira Server (CVE-2022-26135)

Summary

Jira Core & Jira Service Desk are vulnerable to server-side request forgery after authenticating. In some cases, it is possible to leverage open sign ups in Jira Core or Jira Service Desk to exploit this server-side request forgery flaw without having known credentials.

Impact

The SSRF vulnerability allows attackers to send HTTP requests using any HTTP method, headers and body to arbitrary URLs. When Jira is deployed on a cloud environment, an attacker can leverage this exploit chain to obtain cloud credentials or other sensitive information through the metadata IP address.

Affected Software

As per the advisory from Atlassian, please see the following knowledge base article to confirm if you are running an affected software version: https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html

Product Description

Jira is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management.

Solution

The remediation details provided from Atlassian’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.

The knowledge base article detailing the patches or workaround to apply can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Assetnote Security Research Team

Timeline

The timeline for this disclosure process can be found below:

• Apr 21st, 2022: Disclosure of SSRF vulnerability affecting Jira server & Jira Cloud to Atlassian’s security team
• Apr 21st, 2022: Atlassian confirms security vulnerability and triages it in their internal issue tracker.
• June 22nd, 2022: Atlassian confirms advisory publication date and asks us for credit information.
• June 29th, 2022: Atlassian publishes advisory with patches.