An authentication bypass vulnerability has been discovered in Atlassian Jira and Jira Service Management products. The vulnerability is being tracked as CVE-2022-0540.
Atlassian has released a public security advisory addressing the critical authentication bypass vulnerability in Seraph, the company’s web application security framework. Note that this vulnerability does not impact the cloud versions of Jira and Jira Service Management.
Jira is a proprietary issue tracking product developed by Atlassian. This tool is now extensively used by agile development teams to monitor bugs, stories, epics, and other activities. Seraph is a pluggable core element system that is used in Jira and Confluence to handle all login and logout requests.
In an authentication bypass vulnerability, an attacker gains access to an application, service, or device with the rights of an authorized or privileged user by avoiding or manipulating an authentication method.
Description
The vulnerability (CVE-2022-0540) allows a remote attacker to bypass authentication by submitting a specially crafted HTTP request utilizing an affected configuration.
Although the flaw is in Jira’s core, it affects first and third-party apps that declare roles-required at the webwork1 action namespace level rather than at the action level. For a given operation to be affected, it must not perform any further authentication or authorization checks.
Affected Products
- Jira
- Jira Core Server
- Jira Software Server
- Jira Software Data Center
- Jira Service Management
- Jira Service Management Server
- Jira Service Management Data Center
Affected Versions
- version < 8.13.18
- 8.14.0 ≤ version < 8.20.6
- 8.21.0 ≤ version < 8.22.0
Mitigation
Jira has released the following versions addressing the vulnerability:
- 8.13.x >= 8.13.18
- 8.20.x >= 8.20.6
- All versions >= 8.22.0
The latest versions can be downloaded from Jira Core or Jira Software. For more information, please refer to Jira Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 730451 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://jira.atlassian.com/browse/JRASERVER-73650
https://thehackernews.com/2022/04/atlassian-drops-patches-for-critical.html
https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html
https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-jira-authentication-bypass-vulnerability/