Bypass Authentication vulnerability in Atlassian Jira Seraph

Threat Advisories

Bypass Authentication vulnerability in Atlassian Jira Seraph

April 25, 2022

THREAT LEVEL: Green.

For a detailed advisory, download the pdf file here

Atlassian has addressed a vulnerability in its Jira Seraph software, tracked as CVE-2022-0540. An unauthenticated attacker can use to bypass authentication. By submitting a specially crafted HTTP request to the affected software, a threat actor could exploit the vulnerability. Although the vulnerability exists in Jira’s core, it only affects first and third-party apps that define roles-required at the webwork1 action namespace level rather than at the action level. For a given operation to be affected, it must also not complete any further authentication or authorization checks.

This vulnerability has been fixed in Atlassian Jira Server & Data Center versions 8.13.18, 8.20.6 and 8.22.0 and Atlassian Jira Service Management Server and Data Center versions 4.13.18, 4.20.6 and 4.22.0

Vulnerability Details

Bypass-Authentication-vulnerability-in-Atlassian-Jira-Seraph

Patch Links

https://www.atlassian.com/software/jira/core/download

https://www.atlassian.com/software/jira/update

References

https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html

https://jira.atlassian.com/browse/JSDSERVER-11224

https://jira.atlassian.com/browse/JRASERVER-73650

Recent Posts

Join Our Newsletter 14,000+ subscribers and growing! Get top cybersecurity news delivered directly to your inbox.
Sign Up to Receive Our Weekly Threat Digest