Security News > 2022 > April > Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability
Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections.
Tracked as CVE-2022-0540, the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph.
Khoadha of Viettel Cyber Security has been credited with discovering and reporting the security weakness.
"A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration," Atlassian noted.
Atlassian also noted that the flaw affects first and third-party apps only if they are installed in one of the aforementioned Jira or Jira Service Management versions and that they are using a vulnerable configuration.
It's worth noting that a critical remote code execution flaw in Atlassian Confluence was actively weaponized in the wild last year to install cryptocurrency miners on compromised servers.
News URL
https://thehackernews.com/2022/04/atlassian-drops-patches-for-critical.html
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Jira Down: Atlassian users experiencing degraded performance (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- ASUS warns of critical auth bypass flaw in routers using AiCloud (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Ivanti warns of critical Neurons for ITSM auth bypass flaw (source)
- Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE (source)
- Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise (source)
- Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-20 | CVE-2022-0540 | Unspecified vulnerability in Atlassian Jira Data Center and Jira Service Management A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. | 9.8 |