Atlassian has told iTnews it is working on fixes for two as-yet-unannounced vulnerabilities in its Jira Server software.
The vulnerabilities are present not in Atlassian’s own software, but in the third-party Jackson JSON suite of data processing tools for Java.
CVE-2022-42003 and CVE-2022-42004 are both deserialisation bugs in the jackson-databind library.
Both carry a high CVSS severity score of 7.5.
In CVE-2022-42003, “a lack of a check in primitive value deserializers to avoid deep wrapper array nesting” provides the attack vector. An attacker could send malicious content that could crash the library.
CVE-2022-42004 is similar: multiple nested JSON arrays can crash the BeanDeserializer._deserializeFromArray function.
The bugs affect FasterXML jackson-databind before 2.14.0-rc1. Micro-patches have also shipped for versions 2.13.4.2 and 2.12.7.1.
An Atlassian spokesperson acknowledged the vulnerabilities are present in Jira Server, which uses the libraries, after the issue came to iTnews’ attention.
“This is a known issue and we are working on it. In accordance with our security bug fix policy, customers can expect a fix within 90 days from when the issue was verified”, the spokesprson said.
.png&h=140&w=231&c=1&s=0)
