Atlassian Patches Jira Authentication Bypass Vulnerability
Atlassian has released a security advisory announcing a critical authentication bypass vulnerability in Seraph, the company’s web framework, affecting Jira products. The CVSS score of the CVE-2022-0540 vulnerability is 9.9, and it is a very high-risk level.
Which Products Does the Vulnerability Affect?
According to Atlassian’s statement, the vulnerability affects Jira Core Server, Software Data Center, Software Server, Service Management Server, and Management Data Server products.
The affected product versions are given below in the company’s advisory.
Jira Core Server, Software Server, and Software Data Center:
- All versions before 8.13.18
- 8.14.x
- 8.15.x
- 8.16.x
- 8.17.x
- 8.18.x
- 8.19.x
- 8.20.x before 8.20.6
- 8.21.x
Jira Service Management Server and Management Server:
- All versions before 4.13.18
- 4.14.x
- 4.15.x
- 4.16.x
- 4.17.x
- 4.18.x
- 4.19.x
- 4.20.x before 4.20.6
- 4.21.x
It is stated that the vulnerability does not affect the cloud-based Jira and Jira Service Management products.
Vulnerability Affects Atlassian Marketplace Apps
CVE-2022-0540 also affects “Insight – Asset Management and “Mobile Plugin” applications for Jira if the applications are installed on one of Jira or Jira Service Management versions or a vulnerable configuration is used.
How to Fix the Vulnerability?
Atlassian’s security advice strongly recommends upgrading products to updated versions. If this is not possible, it is recommended to deactivate the affected products.
The updated versions are:
- For the Jira:
- 8.13.x to 8.13.18
- 8.20.x to 8.20.6
- All versions to 8.22.0
- For Jira Service Management:
- 4.13.x to 4.13.18
- 4.20.x to 4.20.6
- All versions to 4.22.0
Discover SOCRadar® Free Edition
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.