Atlassian Releases Security Updates for Jira and Jira Service Management products

Updates address critical vulnerability known as CVE-2022-0540, which has a CVSS score of 9.9

Threat ID:: CC-4082
Threat Severity:: Information only
Published:: 22 April 2022 8:57 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address critical vulnerability known as CVE-2022-0540, which has a CVSS score of 9.9

Affected platforms

The following platforms are known to be affected:

Versions: All versions before 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, 8.21.x

Altassian Jira

Included Jira products:

Core Server

Software Server

Software Data Center

NOTE: Jira Cloud is unaffected

Versions: All versions before 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, 4.21.x

Atlassian Jira Service Management

Included Jira Service Management products:

Server

Data Center

NOTE: Jira Service Management Cloud is unaffected

Threat details

Introduction

Atlassian has released updates for Jira and Jira Service Management that addresses a critical authentication bypass vulnerability in its web authentication framework, Jira Seraph. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted HTTP request to bypass authentication and authorisation requirements in WebWork actions using an affected configuration and take control of the system.

Remediation advice

Affected organisations are encouraged to review the Atlassian Jira Security Advisory 2022-04-20 and FAQ for CVE-2022-0540 and apply the necessary updates or workarounds.

Definitive source of threat updates

https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html

CVE Vulnerabilities

Status Published

CVE-2022-0540

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

Last edited: 22 April 2022 8:59 am