Jira is not impacted (no action is required) as the vulnerability {+}cannot be exploited{+}.
All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira {+}does not use the affected methods from the Spring{+}, hence {+}is not impacted{+}:
No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.
Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.
Affected versions:
Fixed versions:
CPE | Name | Operator | Version |
---|---|---|---|
jira data center | le | 9.4.0 | |
jira data center | le | 8.20.15 | |
jira data center | lt | 9.6.0 | |
jira data center | lt | 8.20.22 | |
jira data center | lt | 9.4.6 |