Atlassian Jira Seraph Authentication Bypass

Atlassian Jira versions < 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x < 8.20.6, 8.21.x and Atlassian Jira Service Management versions < 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x < 4.20.6 and 4.21.x use a common authentication framework named Atlassian Jira Seraph which suffers from an authentication bypass vulnerability.

By crafting a specific HTTP request, a remote and unauthenticated attacker could exploit this vulnerability to bypass authentication and authorization requirements in WebWork actions using an affected configuration. The impact of the vulnerability depends on the applications used in the Jira or Jira Service Management instance and their usage of the Jira Seraph framework.