Authentication Bypass in Atlassian Jira (CVE-2022-0540)

Posted on April 20, 2022 in Services & System Applications

Summary

An authentication bypass vulnerability has been found in Atlassian Jira. This issue can be exploited in the default configuration, and has been assigned a bug alert severity of 'very high'.

Details

On Wednesday, April 20th, 2022, Atlassian released a Security Advisory stating that Jira's web authentication framework, Jira Seraph, is vulnerable to an Authentication Bypass vulnerability. At this time they have not released any specifics as to what the exact vulnerable endpoint is, or any indicators of compromise that could lead defenders to believe they have been exploited. It's likely that attackers will inspect the differences in the application binaries between the fixed and vulnerable versions, and develop attack methods rapidly. This post will be updated as information becomes available.

At this time, Atlassian is advising customers to install updated version of Jira Core Server, Jira Software Server, and Jira Software Data Center. If updating is not possible, installing updates to affected plug-ins (found in the advisory) is suggested, followed by disabling those plug-ins if updates are not available.

This vulnerability been assigned CVE-2022-0540. Patches are available now from the vendor.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.


Additional vulnerability discussion can be found on GitHub.
Have information to contribute? Make a pull request!