Atlassian is warning users of a high-severity security vulnerability in a Jira server plug-in, which could lead to credentials leaking.
The Mobile Plugin for Jira Data Centre and Server is used to support users accessing the server from iOS and Android apps.
The company’s advisory says Jira Server and Data Center versions before 8.13.22; from version 8.14.0 before 8.20.10; and from version 8.21.0 before 8.22.4 are affected by this vulnerability.
Also impacted are Jira Service Management Server and Data Center versions before 4.13.22; from version 4.14.0 before 4.20.10; and from version 4.21.0 before 4.22.4.
Cloud sites accessed through an atlassian.net domain are not affected.
Tracked as CVE-2022-26135, the bug is described as a “full-read server-side request forgery”.
While it can only be exploited by an authenticated user, that includes someone who “joined via the sign-up feature”, the advisory explained.
“It specifically affects the batch HTTP endpoint used in Mobile Plugin for Jira. It is possible to control the HTTP method and location of the intended URL through the method parameter in the body of the vulnerable endpoint.”
The bug’s impact is specific to the deployment environment, Atlassian said, but as an example, the company said “when deployed in AWS, it could leak sensitive credentials.”