CVE-2022-26135: 
JIRA vulnerability analysis and mitigation

A high severity vulnerability (CVE-2022-26135) was discovered in the Mobile Plugin for Jira Data Center and Server. The vulnerability allows a remote, authenticated user (including users who joined via the sign-up feature) to perform a full read server-side request forgery (SSRF) via a batch endpoint. The issue affects Jira Server and Data Center versions from 8.0.0 before 8.13.22, 8.14.0-8.20.9, and 8.21.0-8.22.3, as well as Jira Service Management Server and Data Center versions from 4.0.0 before 4.13.22, 4.14.0-4.20.9, and 4.21.0-4.22.3. The vulnerability was discovered and reported by Shubham Shah and Dylan Pindur of Assetnote (Atlassian Advisory).

The vulnerability exists in the batch API endpoint of the Mobile Plugin for Jira. The issue stems from improper URL construction where the application performs simple concatenation of the base URL with user-provided input. An attacker can exploit this by specifying a URL with '@targethost.com' which results in the HTTP client sending requests to the attacker's specified host. The vulnerability allows sending up to 5 requests at a time through the Batch API, with control over HTTP method, headers, and body. The CVSS score for this vulnerability is 7.2 (High) (Assetnote Research).

The impact of this vulnerability varies depending on the deployment environment. When deployed in cloud environments like AWS, the SSRF vulnerability could potentially leak sensitive credentials and allow access to internal services. The vulnerability enables attackers to send HTTP requests with arbitrary methods, headers, and body to any URL, potentially exposing internal systems and sensitive information (Assetnote Advisory).

Atlassian recommends upgrading to fixed versions: Jira Core Server and Data Center versions 8.13.22, 8.20.10, 8.22.4, or 9.0.0, or Jira Service Management Server and Data Center versions 4.13.22, 4.20.10, 4.22.4, or 5.0.0. As a temporary workaround, administrators can manually upgrade the Mobile Plugin for Jira to version 3.2.15 or disable the plugin entirely. For system apps, manual update requires downloading the fixed JAR file from the Atlassian Marketplace and uploading it through the Admin > Manage Apps interface (Atlassian Advisory).