Lucene search
Security-metrics-botJRASERVER-74776HistoryFeb 03, 2023 - 5:50 a.m.
Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework
2023-02-0305:50:39
security-metrics-bot
jira.atlassian.com
19
0.006 Low
EPSS
Percentile
79.0%
Jira is not impacted (no action is required) as the vulnerability {+}cannot be exploited{+}.
All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira {+}does not use the affected methods from the Spring{+}, hence {+}is not impacted{+}:
- CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, {}we use commons-fileupload v1.3.3{}.
- CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets
No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.
Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.
Affected versions:
- version < 9.6.0
Fixed versions:
- 9.6.0
| CPE | Name | Operator | Version |
|---|---|---|---|
| jira data center | le | 9.4.0 | |
| jira data center | le | 8.20.15 | |
| jira data center | lt | 9.6.0 | |
| jira data center | lt | 8.20.22 | |
| jira data center | lt | 9.4.6 |
Related
nessus
nessus
Atlassian Jira < 9.6.0 (JRASERVER-74776) (deprecated)
2023-03-13 00:00:00
Oracle MySQL Enterprise Monitor (Jan 2023 CPU)
2023-01-20 00:00:00
Oracle WebLogic Server 14.1.1 < 14.1.1.0.221010 (Oct 2022 CPU)
2022-10-20 00:00:00
openvas
openvas
atlassian
atlassian
Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970
2022-09-14 06:31:26
ibm
ibm
Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980)
2022-07-25 07:50:01
cve
cve
CVE-2022-22971
2022-05-12 20:15:00
CVE-2022-22970
2022-05-12 20:15:00
github
github
Allocation of Resources Without Limits or Throttling in Spring Framework
2022-05-13 00:00:29
Denial of service in Spring Framework
2022-05-13 00:00:28
prion
prion
Design/Logic Flaw
2022-05-12 20:15:00
Design/Logic Flaw
2022-05-12 20:15:00
cvelist
cvelist
CVE-2022-22971
2022-05-12 19:30:49
CVE-2022-22970
2022-05-12 19:28:47
osv
osv
Allocation of Resources Without Limits or Throttling in Spring Framework
2022-05-13 00:00:29
CVE-2022-22971
2022-05-12 20:15:15
CVE-2022-22970
2022-05-12 20:15:15
redhatcve
redhatcve
CVE-2022-22971
2022-05-18 17:34:35
CVE-2022-22970
2022-05-18 17:34:33
debiancve
debiancve
CVE-2022-22971
2022-05-12 20:15:00
CVE-2022-22970
2022-05-12 20:15:00
alpinelinux
alpinelinux
CVE-2022-22971
2022-05-12 20:15:00
CVE-2022-22970
2022-05-12 20:15:00
cnvd
cnvd
Spring Framework Denial of Service Vulnerability (CNVD-2022-68890)
2022-05-13 00:00:00
Spring Framework Denial of Service Vulnerability
2022-05-13 00:00:00
veracode
veracode
Denial Of Service (DoS)
2022-05-13 07:20:06
Denial Of Service (DoS)
2022-05-13 03:46:21
ubuntucve
ubuntucve
CVE-2022-22971
2022-05-12 00:00:00
CVE-2022-22970
2022-05-12 00:00:00
redhat
redhat
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - October 2022
2022-10-18 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00