Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections.
Tracked as CVE-2022-0540, the flaw is rated 9. 9 out of 10 on the CVSS scoring system and resides in Jira’s authentication framework, Jira Seraph. Khoadha from Viettel Cyber Security was credited for identifying and reporting security weaknesses.
“A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,” Atlassian noted.
The flaw affects the following Jira products –
- Jira Core Server, Jira Software Server and Jira Software Data Center: All versions before 8.13. 18, 8. 14.x, 8. 15.x, 8. 16.x, 8. 17.x, 8. 18.x, 8. 19.x, 8. 20.x before 8.20. 6, and 8. 21.x
- Jira Service Management Server and Jira Service Management Data Center: All versions before 4.13. 18, 4. 14.x, 4. 15.x, 4. 16.x, 4. 17.x, 4. 18.x, 4. 19.x, 4. 20.x before 4.20. 6, and 4. 21.x
Fixed Jira and Jira Service Management versions are 8.13. 18, 8.20. 6, and 8. 22.0 and 4.13. 18, 4.20. 6, and 4.22.0.
Atlassian noted also that this flaw only affects third-party and first-party apps if these are installed in Jira Service Management or Jira Service Management versions, and are not using vulnerable configurations.
Users should update to the latest patched version to prevent potential exploit attempts. The company recommends that users update the affected applications to the latest version, or disable them completely if immediate patching is not possible.
It’s worth noting that a critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9. 8) was actively weaponized in the wild last year to install cryptocurrency miners on compromised servers.