We have identified and fixed a privilege escalation vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass authentication and authorisation controls by hitting specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. The attacker will be able to execute a large number of administrative actions.
This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6.
Full details are available in the advisory at https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28
Note: the patch instructions files refer to JRA-29138, please ignore this, they are indeed the correct instructions.
Note 2: If you encounter error messages after applying the patch, see if this KB article applies