Bypass Authentication vulnerability in Atlassian Jira Seraph

Threat Advisories

Bypass Authentication vulnerability in Atlassian Jira Seraph


For a detailed advisory, download the pdf file here

Atlassian has addressed a vulnerability in its Jira Seraph software, tracked as CVE-2022-0540. An unauthenticated attacker can use to bypass authentication. By submitting a specially crafted HTTP request to the affected software, a threat actor could exploit the vulnerability. Although the vulnerability exists in Jira’s core, it only affects first and third-party apps that define roles-required at the webwork1 action namespace level rather than at the action level. For a given operation to be affected, it must also not complete any further authentication or authorization checks.

This vulnerability has been fixed in Atlassian Jira Server & Data Center versions 8.13.18, 8.20.6 and 8.22.0 and Atlassian Jira Service Management Server and Data Center versions 4.13.18, 4.20.6 and 4.22.0

Vulnerability Details


Patch Links