Atlassian Releases Patches for Critical Jira Authentication Bypass Vulnerability
Atlassian has released new security patches for its Jira and Jira Service Management solutions. The latest set of updates aims to address a critical vulnerability that could let attackers to bypass authentication controls.
According to Atlassian’s security advisory, the bug was first discovered by Khoadha of Viettel Cyber Security. Tracked as CVE-2022-0540 and issued a CVSS score of 9.9, the security flaw resides in Jira’s authentication framework called Jira Seraph.
For those unfamiliar, Seraph is a Servlet security framework that is used in J2EE web applications. It offers various security tools that help IT admins protect their Jira installations from cyber attacks. In Jira and Confluence, Seraph uses some pluggable core elements to handle all authentication requests.
“A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,” the company explained.
Atlassian confirmed that the CVE-2022-0540 vulnerability affects several products such as Jira Core Server, Software Server, Software Data Center, the Service Management Server, and the Management Data Center. However, the security flaw doesn’t impact the cloud-based Jira and Jira Service Management products.
Here’s the full list of versions affected by the CVE-2022-0540 vulnerability:
- Jira Core Server, Software Server, and Software Data Center prior to versions 8.13.18, the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x.
- Jira Service Management Server and Management Data Center prior to versions 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, and 4.21.x.
The Jira authentication bypass vulnerability affects over 200 Atlassian marketplace apps
In addition to these Jira products, Atlassian noted that the security flaw affects its Mobile Plugin for Jira and Insight – Asset Management applications. Moreover, the vulnerability impacts more than 200 apps available on the Atlassian marketplace.
Atlassian advises customers to upgrade to the latest version of Jira or Jira Service Management to mitigate potential security attacks. However, users who can’t install the security patches can simply update the vulnerable apps to a fixed version or disable them altogether.
More in Security
Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Sep 22, 2022 | Rabia Noureen
Researchers Warn About New Shikitega Malware Targeting Linux Endpoints and IoT Devices
Sep 12, 2022 | Rabia Noureen
LastPass Confirms Internal Source Code Compromised in Security Breach
Aug 26, 2022 | Rabia Noureen
Avast Gets New Ransomware Shield to Protect Small Businesses
Aug 24, 2022 | Rabia Noureen
Mandiant Warns Hackers Now Use New Trick to Bypass MFA
Aug 22, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Network and Web Protection on macOS and Linux
Aug 22, 2022 | Rabia Noureen
Most popular on petri