Atlassian Fixes Critical Jira Authentication Bypass Vulnerability (CVSS 9.9), Cloud Edition Excluded


Atlassian has released a security advisory describing how its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, its web application security framework Seraph, the company’s web application security framework.

Jira Security Advisory 2022-04-20 | Atlassian Support | Atlassian Documentation

Jira and Jira Service Management are vulnerable to an authentication bypass in Jira Seraph, a web authentication framework.

This vulnerability is in the core of Jira, but affects first and third party apps that specify roles-required at the webwork1 action namespace level, but not at the action level. For a particular action to be affected, it must also not perform any other authentication or authorization checks.

A remote, unauthenticated attacker can exploit this by sending a specially crafted HTTP request to bypass the authentication and authorization requirements for WebWork actions that use the affected configuration.

Seraph is used by Jira and Confluence to handle all login and logout requests.

This vulnerability is tracked as CVE-2022-0540 and has a severity rating of 9.9.

This vulnerability allows an attacker to bypass authentication by remotely sending a specially crafted HTTP request to the vulnerable endpoint.

The affected products are Jira Core Server, Software Data Center, Software Server, Service Management Server, and Management Data Center. Specifically, the following versions are affected.

Jira Core Server, Software Server and Software Data Center prior to 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.6 or earlier, 8.21.x., 4.13.18 Previous Jira Service Management Server and Management Data Center, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x (before 4.20.6), 4.21.x.
This vulnerability does not affect the cloud versions of Jira and Jira Service Management.

Atlasian clearly states that a remote attacker can only compromise the affected products if they use certain settings in Seraph.

Vulnerable application

The severity of the CVE-2022-0540 exploit depends on the app you are using and whether you are using additional permission checks in addition to those in the Seraph configuration.

Two bundled apps affected by this defect are “Insight – Asset Management” and the “Mobile Plugin” for Jira.

Check the Atlassian advisory for a complete list of affected apps.