April 24, 2022 

Atlassian Patches Critical Jira Authentication Bypass Vulnerability 

Atlassian has issued a security advisory addressing a critical authentication bypass vulnerability affecting Jira and Jira Service Management (non-cloud versions). 

Exploiting the vulnerability may lead to remote code execution on the affected system. 

The Vulnerability

• CVE-2022-0540 (CVSS 3.1: 9.9, Critical) – A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. 

Affected Products

• Jira Core Server, Software Server, and Software Data Center:  

• All versions prior to 8.13.18. 
• Versions 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x. 

• 8.20.x versions before 8.20.6. 
• Versions 8.21.x. 

• Jira Service Management Server and Management Data Center:  

• All versions prior to 4.13.18.  
• Versions 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x.  

• 4.20.x versions before 4.20.6. 
• Versions 4.21.x. 

Mitigation

CYREBRO recommends to update Jira and Jira Service Management to the newest available versions, according to the official Atlassian advisory. 

Workaround

If updating the vulnerable products isn’t currently possible, you may follow the steps presented by Atlassian’s advisory under the ‘Workarounds’ section for temporary workarounds. 

References: Atlassian Advisory.