Atlassian has actually released a safety consultatory caution of a crucial susceptability in its Jira software program that can be abused by a remote, unauthenticated assaulter to prevent verification securities.
Tracked as CVE-2022-0540, the defect is ranked 9.9 out of 10 on the CVSS racking up system and also stays in Jira’s verification structure, Jira Seraph. Khoadha of Viettel Cyber Safety and security has actually been attributed with finding and also reporting the safety weak point.
” A remote, unauthenticated assaulter can manipulate this by sending out a particularly crafted HTTP demand to bypass verification and also consent needs in WebWork activities making use of an influenced setup,” Atlassian noted.
The defect influences the complying with Jira items –
- Jira Core Web Server, Jira Software Program Web Server and also Jira Software Program Information Facility: All variations prior to 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x prior to 8.20.6, and also 8.21. x
- Jira Solution Monitoring Web Server and also Jira Solution Monitoring Information Facility: All variations prior to 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x prior to 4.20.6, and also 4.21. x
Repaired Jira and also Jira Solution Monitoring variations are 8.13.18, 8.20.6, and also 8.22.0 and also 4.13.18, 4.20.6, and also 4.22.0.
Atlassian additionally kept in mind that the defect influences initially and also third-party applications just if they are set up in among the previously mentioned Jira or Jira Solution Monitoring variations which they are making use of a susceptible setup.
Customers are highly advised to upgrade to among the patched variations to minimize prospective exploitation efforts. If instant patching isn’t an alternative, the firm is recommending upgrading the impacted applications to a taken care of variation or disabling them entirely.
It deserves keeping in mind that a crucial remote code implementation defect in Atlassian Convergence (CVE-2021-26084, CVSS rating: 9.8) was proactively weaponized in the wild in 2014 to set up cryptocurrency miners on endangered web servers.