The Australian software giant Atlassian has recently addressed a critical bug affecting its Jira software. Exploiting the vulnerability allowed authentication bypass on the Jira web authentication framework.
Jira Authentication Bypass Vulnerability Patched
A security researcher Khoadha from the Vietnam-based firm Viettel Cyber Security caught a critical authentication bypass vulnerability in the Jira software.
Acknowledging the bug in an advisory, Atlassian confirmed patching the flaw that could pose a severe security risk.
The bug typically affected the web authentication framework, allowing a remote adversary to bypass authorization checks. Exploiting the flaw merely required the attacker to send a specially crafted HTTP request to bypass the checks in WebWork actions with the affected configuration.
Describing the vulnerability, the advisory reads,
Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.
The vulnerability, CVE-2022-0540, received a critical severity rating. It impacted multiple versions of Jira Core Server, Jira Software Server, and Jira Software Data Center. Besides, it also affected Jira Service Management Server and Jira Service Management Data Center.
Consequently, the vendors patched the vulnerability with the release of the following product versions.
- Jira Core Server, Jira Software Server, Jira Software Data Center: 8.13.x >= 8.13.18, 8.20.x >= 8.20.6, all versions >= 8.22.0.
- Jira Service Management Server, Jira Service Management Data Center: 4.13.x >= 4.13.18, 4.20.x >= 4.20.6, all versions >= 4.22.0.
All users should ensure upgrading their systems with the latest versions to receive the bug fixes. For some products, Atlassian has even released some newer versions. Thus, users should keep an eye on the latest releases to download. However, if updating the product isn’t possible, Atlassian recommends users disable the vulnerable apps as a workaround to mitigate the flaw until installing the patched version.