Researchers have discovered a SSRF flaw in Atlassian’s Jira an issue tracking and project management software by abusing without obtaining credentials (Jira Service Desk’s Signups function).
Tracked as CVE-2022-26135, the high severity, full-read SSRF resided in Jira Server Core. There are multiple ways to create user accounts on Jira to exploit this issue depending on the configuration of the Jira instance. First registering on the Jira Service desk and then using the account to access the Jira Core REST APIs.
The issue affects the batch HTTP endpoint used in Mobile Plugin for Jira, which is bundled with Jira and Jira Service Management.
A PoC of researchers attempts to register an account on Jira Core or Jira Service Desk and then automatically exploits the SSRF vulnerability.
The flaw was reported to Atlassian’s security team on April 21 and patches landed on June 29. All prior versions of Jira and Jira Service Management are affected by the vulnerability.
The researchers found the SSRF after reverse engineering patches for an authentication bypass vulnerability in Seraph disclosed in April 2022, which also affected Mobile Plugin for Jira.
This research was conducted and documented by researchers of Assetnote
To address this issue, we have released:
- Jira Core Server, Jira Software Server, and Jira Software Data Center versions:
- Jira Service Management Server and Data Center versions: