CVE-2022-36800

Name of the Vulnerable Software and Affected Versions Atlassian Jira Service Management Server and Data Center versions prior to 4.22.2

Description The issue allows remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the "browsegroups.action" endpoint. This is related to insufficient request validation on the server side, which can be exploited to perform a Server-Side Request Forgery (SSRF) attack.

Recommendations For versions prior to 4.22.2, update to version 4.22.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "browsegroups.action" endpoint until a patch is available. Avoid using the endpoint without proper validation and authorization to minimize the risk of exploitation.