Lucene search

K
atlassianSecurity-metrics-botJRASERVER-74776
HistoryFeb 03, 2023 - 5:50 a.m.

Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

2023-02-0305:50:39
security-metrics-bot
jira.atlassian.com
16

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

78.6%

Jira is not impacted (no action is required) as the vulnerability {+}cannot be exploited{+}.

All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira {+}does not use the affected methods from the Spring{+}, hence {+}is not impacted{+}:

  • CVE-2022-22970 Spring Framework handling file uploads Denial of Service: Spring is not used for file handling, {}we use commons-fileupload v1.3.3{}.
  • CVE-2022-22971 Spring Framework using STOMP over WebSockets Denial of Service: Jira has no usages of WebSockets

No action is required at the moment to mitigate the vulnerabilities as Jira is not impacted.


Affected versions of Atlassian Jira Server/DC is impacted by CVE-2022-22970 & CVE-2022-22971 owing to use of spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions.

Affected versions:

  • version < 9.6.0

Fixed versions:

  • 9.6.0

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.006 Low

EPSS

Percentile

78.6%