Atlassian has published a security advisory warning of a critical vulnerability in its Jira application that could be abused by a distant, unauthenticated attacker to circumvent authentication protections.
Tracked as CVE-2022-0540, the flaw is rated 9.9 out of 10 on the CVSS scoring procedure and resides in Jira’s authentication framework, Jira Seraph. Khoadha of Viettel Cyber Security has been credited with discovering and reporting the security weak point.
“A distant, unauthenticated attacker could exploit this by sending a specifically crafted HTTP ask for to bypass authentication and authorization needs in WebWork actions utilizing an affected configuration,” Atlassian pointed out.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The flaw influences the pursuing Jira products –
- Jira Core Server, Jira Program Server and Jira Software Data Middle: All versions just before 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x just before 8.20.6, and 8.21.x
- Jira Provider Administration Server and Jira Assistance Administration Information Middle: All variations in advance of 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x just before 4.20.6, and 4.21.x
Preset Jira and Jira Services Management versions are 8.13.18, 8.20.6, and 8.22. and 4.13.18, 4.20.6, and 4.22..
Atlassian also pointed out that the flaw influences very first and 3rd-party applications only if they are installed in one of the aforementioned Jira or Jira Services Administration versions and that they are making use of a susceptible configuration.
Customers are strongly advised to update to a person of the patched variations to mitigate opportunity exploitation tries. If fast patching is just not an option, the firm is advising updating the impacted apps to a preset model or disabling them altogether.
It is really really worth noting that a critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS rating: 9.8) was actively weaponized in the wild final 12 months to install cryptocurrency miners on compromised servers.
Discovered this post exciting? Observe THN on Facebook, Twitter and LinkedIn to read a lot more distinctive written content we write-up.
Some areas of this short article are sourced from:
thehackernews.com
Wawa Sues Mastercard Over Data Breach Penalties