Atlassian patches Jira server plugin to fix vulnerability

By

Possible credential leak.

Atlassian is warning users of a high-severity security vulnerability in a Jira server plug-in, which could lead to credentials leaking.

Atlassian patches Jira server plugin to fix vulnerability

The Mobile Plugin for Jira Data Centre and Server is used to support users accessing the server from iOS and Android apps.

The company’s advisory says Jira Server and Data Center versions before 8.13.22; from version 8.14.0 before 8.20.10; and from version 8.21.0 before 8.22.4 are affected by this vulnerability.

Also impacted are Jira Service Management Server and Data Center versions before 4.13.22; from version 4.14.0 before 4.20.10; and from version 4.21.0 before 4.22.4.

Cloud sites accessed through an atlassian.net domain are not affected.

Tracked as CVE-2022-26135, the bug is described as a “full-read server-side request forgery”.

While it can only be exploited by an authenticated user, that includes someone who “joined via the sign-up feature”, the advisory explained.

“It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.”

The bug’s impact is specific to the deployment environment, Atlassian said, but as an example, the company said “when deployed in AWS, it could leak sensitive credentials.”

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

Log In

  |  Forgot your password?