Atlassian has told iTnews it is working on fixes for two as-yet-unannounced vulnerabilities in its Jira Server software.
The vulnerabilities are present not in Atlassian’s own software, but in the third-party Jackson JSON suite of data processing tools for Java.
Both carry a high CVSS severity score of 7.5.
In CVE-2022-42003, “a lack of a check in primitive value deserializers to avoid deep wrapper array nesting” provides the attack vector. An attacker could send malicious content that could crash the library.
CVE-2022-42004 is similar: multiple nested JSON arrays can crash the BeanDeserializer._deserializeFromArray function.
The bugs affect FasterXML jackson-databind before 2.14.0-rc1. Micro-patches have also shipped for versions 188.8.131.52 and 184.108.40.206.
An Atlassian spokesperson acknowledged the vulnerabilities are present in Jira Server, which uses the libraries, after the issue came to iTnews’ attention.
“This is a known issue and we are working on it. In accordance with our security bug fix policy, customers can expect a fix within 90 days from when the issue was verified”, the spokesprson said.