Atlassian has actually released a safety and security consultatory caution of an essential susceptability in its Jira software application that can be abused by a remote, unauthenticated opponent to prevent verification defenses.
Tracked as CVE-2022-0540, the defect is ranked 9.9 out of 10 on the CVSS racking up system and also stays in Jira’s verification structure, Jira Seraph. Khoadha of Viettel Cyber Safety and security has actually been attributed with finding and also reporting the safety and security weak point.
” A remote, unauthenticated opponent can manipulate this by sending out a specifically crafted HTTP demand to bypass verification and also consent demands in WebWork activities utilizing an impacted setup,” Atlassian noted.
The defect impacts the adhering to Jira items –
- Jira Core Web Server, Jira Software Program Web Server and also Jira Software Program Information Facility: All variations prior to 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x prior to 8.20.6, and also 8.21. x
- Jira Solution Monitoring Web Server and also Jira Solution Monitoring Information Facility: All variations prior to 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x prior to 4.20.6, and also 4.21. x
Repaired Jira and also Jira Solution Monitoring variations are 8.13.18, 8.20.6, and also 8.22.0 and also 4.13.18, 4.20.6, and also 4.22.0.
Atlassian likewise kept in mind that the defect impacts initially and also third-party applications just if they are mounted in among the previously mentioned Jira or Jira Solution Monitoring variations which they are utilizing a prone setup.
Customers are highly suggested to upgrade to among the patched variations to reduce possible exploitation efforts. If prompt patching isn’t an alternative, the firm is encouraging upgrading the influenced applications to a taken care of variation or disabling them completely.
It deserves keeping in mind that an essential remote code implementation defect in Atlassian Assemblage (CVE-2021-26084, CVSS rating: 9.8) was proactively weaponized in the wild in 2015 to mount cryptocurrency miners on jeopardized web servers.