Bypass Authentication vulnerability in Atlassian Jira Seraph

Threat Advisories

Bypass Authentication vulnerability in Atlassian Jira Seraph


For a detailed advisory, download the pdf file here

Atlassian has addressed a vulnerability in its Jira Seraph software, tracked as CVE-2022-0540. An unauthenticated attacker can use to bypass authentication. By submitting a specially crafted HTTP request to the affected software, a threat actor could exploit the vulnerability. Although the vulnerability exists in Jira’s core, it only affects first and third-party apps that define roles-required at the webwork1 action namespace level rather than at the action level. For a given operation to be affected, it must also not complete any further authentication or authorization checks.

This vulnerability has been fixed in Atlassian Jira Server & Data Center versions 8.13.18, 8.20.6 and 8.22.0 and Atlassian Jira Service Management Server and Data Center versions 4.13.18, 4.20.6 and 4.22.0

Vulnerability Details


Patch Links


Sign up to receive our Weekly Threat Digest