Ambientia's response to Atlassian CVE-2022-26135
Incident Report for Ambientia
This incident has been resolved.
Posted Jul 06, 2022 - 15:52 EEST
On Wednesday 29th of June at 20:00 EEST Atlassian has announced a high level vulnerability concerning Mobile Plugin for Jira. Using this vulnerability, an attacker with a valid Jira login can issue speficially crafted requests which could cause Jira to issue further HTTP requests to endpoints the attacker chooses. Under some scenarios, this might lead to unintended data disclosure or work as an access vector to other parts of the infrastructure Jira is running on.

To mitigate against this vulnerability, Ambientia has either updated (wherever possible) the affected Jira system plugin to a fixed version, or in the case that the upgrade has not been possible due to incompatibilities with the Jira version (the Jira version is too old to utilize the fixed plugin), the plugin has been disabled. For a majority of Jira installations under Ambientia's management, we've been able to perform an upgrade of the plugin to a fixed version.

We will be in touch with our customers in case their Jira instance requires further actions (e.g. Jira upgrades) as a result of this vulnerability.

Link to the official vulnerability announcement:

We are monitoring the situation and are prepared to implement additional measures if they are required.
Posted Jun 29, 2022 - 22:12 EEST