Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability

News

Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections.

Tracked as CVE-2022-0540, the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira’s authentication framework, Jira Seraph. Khoadha of Viettel Cyber Security has been credited with discovering and reporting the security weakness.

“A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,” Atlassian noted.

CyberSecurity

The flaw affects the following Jira products –

  • Jira Core Server, Jira Software Server and Jira Software Data Center: All versions before 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x
  • Jira Service Management Server and Jira Service Management Data Center: All versions before 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, and 4.21.x

Fixed Jira and Jira Service Management versions are 8.13.18, 8.20.6, and 8.22.0 and 4.13.18, 4.20.6, and 4.22.0.

Atlassian also noted that the flaw affects first and third-party apps only if they are installed in one of the aforementioned Jira or Jira Service Management versions and that they are using a vulnerable configuration.

CyberSecurity

Users are strongly recommended to update to one of the patched versions to mitigate potential exploitation attempts. If immediate patching isn’t an option, the company is advising updating the affected apps to a fixed version or disabling them altogether.

It’s worth noting that a critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively weaponized in the wild last year to install cryptocurrency miners on compromised servers.

Products You May Like

Articles You May Like

ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks
“Missing Cryptoqueen” hits the FBI’s Ten Most Wanted list
It’s Social Media Day! Here’s How to Protect Yourself From Social Engineering Online
Phishing scam poses as Canadian tax agency before Canada Day
What Is Identity Theft and How Do You Recover From It?

Leave a Reply

Your email address will not be published.