April 24, 2022
Atlassian Patches Critical Jira Authentication Bypass Vulnerability
Atlassian has issued a security advisory addressing a critical authentication bypass vulnerability affecting Jira and Jira Service Management (non-cloud versions).
Exploiting the vulnerability may lead to remote code execution on the affected system.
- CVE-2022-0540 (CVSS 3.1: 9.9, Critical) – A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request.
- Jira Core Server, Software Server, and Software Data Center:
- All versions prior to 8.13.18.
- Versions 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x.
- 8.20.x versions before 8.20.6.
- Versions 8.21.x.
- Jira Service Management Server and Management Data Center:
- All versions prior to 4.13.18.
- Versions 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x.
- 4.20.x versions before 4.20.6.
- Versions 4.21.x.
CYREBRO recommends to update Jira and Jira Service Management to the newest available versions, according to the official Atlassian advisory.
If updating the vulnerable products isn’t currently possible, you may follow the steps presented by Atlassian’s advisory under the ‘Workarounds’ section for temporary workarounds.
References: Atlassian Advisory.