Atlassian Releases Patches for Critical Jira Authentication Bypass Vulnerability
Atlassian has released new security patches for its Jira and Jira Service Management solutions. The latest set of updates aims to address a critical vulnerability that could let attackers to bypass authentication controls.
According to Atlassian’s security advisory, the bug was first discovered by Khoadha of Viettel Cyber Security. Tracked as CVE-2022-0540 and issued a CVSS score of 9.9, the security flaw resides in Jira’s authentication framework called Jira Seraph.
For those unfamiliar, Seraph is a Servlet security framework that is used in J2EE web applications. It offers various security tools that help IT admins protect their Jira installations from cyber attacks. In Jira and Confluence, Seraph uses some pluggable core elements to handle all authentication requests.
“A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,” the company explained.
Atlassian confirmed that the CVE-2022-0540 vulnerability affects several products such as Jira Core Server, Software Server, Software Data Center, the Service Management Server, and the Management Data Center. However, the security flaw doesn’t impact the cloud-based Jira and Jira Service Management products.
Here’s the full list of versions affected by the CVE-2022-0540 vulnerability:
- Jira Core Server, Software Server, and Software Data Center prior to versions 8.13.18, the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x.
- Jira Service Management Server and Management Data Center prior to versions 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, and 4.21.x.
The Jira authentication bypass vulnerability affects over 200 Atlassian marketplace apps
In addition to these Jira products, Atlassian noted that the security flaw affects its Mobile Plugin for Jira and Insight – Asset Management applications. Moreover, the vulnerability impacts more than 200 apps available on the Atlassian marketplace.
Atlassian advises customers to upgrade to the latest version of Jira or Jira Service Management to mitigate potential security attacks. However, users who can’t install the security patches can simply update the vulnerable apps to a fixed version or disable them altogether.
More in Security
Microsoft Defender Vulnerability Management Adds New CVE Reporting Feature
Jun 30, 2022 | Rabia Noureen
Microsoft Releases Patches to Address Azure FabricScape Flaw Affecting Linux Workloads
Jun 29, 2022 | Rabia Noureen
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
Most popular on petri