[JSDSERVER-11224] Authentication Bypass in Jira Seraph - CVE-2022-0540 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 4.22.0, 4.13.18, 4.20.6
Affects Version/s: 4.21.0, 4.13.17, 4.20.5
Component/s: None
Labels:

CVSS Score:
9.9
CVSS Severity:
Critical
CVE ID:
CVE-2022-0540

Updates

2022/05/05 11:30 AM PDT

Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available:
- Secure Code Warrior® for Jira
- Simple Tasklists
- Simple Team Pages for Jira
- UiPath Test Manager for Jira
- Xporter - Export issues from Jira

2022/04/25 11:40 AM PDT

Updated the List of affected Atlassian Marketplace Apps section of the advisory to note the following app is no longer supported:
- Feedback for Jira - Forms for website

2022/04/22 12:30 PM PDT

Updated the List of affected Atlassian Marketplace Apps section of the advisory to note the following apps have non-vulnerable updates available:
- VCAP - Video Capture for Jira Service Management
- Who deleted my issues

2022/04/21 11:50 AM PDT

Updated the List of affected Atlassian Marketplace Apps section of the advisory to note the following apps have non-vulnerable updates available:
- Calendar for Jira
- Dependent Select List
- Smart Checklist for Jira. Pro

Jira Service Management Server and Data Center vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

For more information on potentially affected apps, please refer to the Determining which apps are affected section in Atlassian's security advisory.

A remote, unauthenticated attacker could exploit this by requesting a specially crafted URL to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

This vulnerability was discovered by Khoadha of Viettel Cyber Security.

Affected versions:

version < 4.13.18
4.14.0 ≤ version < 4.20.6
4.21.0 ≤ version < 4.22.0

Fixed versions:

4.13.x >= 4.13.18
4.20.x >= 4.20.6
All versions >= 4.22.0

References

Jira Security Advisory 2022-04-20

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(17 mentioned in)

Deepak Kumar made changes - 18/Jun/2024 3:44 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 917896 ]

Deepak Kumar made changes - 18/Jun/2024 8:16 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 917896 ]

Eric Franklin (Inactive) made changes - 13/Dec/2023 5:37 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 847718 ]

Eric Franklin (Inactive) made changes - 08/Dec/2023 8:28 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 846039 ]

Maggie O. made changes - 08/Sep/2023 4:56 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 809239 ]

Deepak Kumar made changes - 08/Feb/2023 2:57 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 729581 ]

Daniel R made changes - 22/Jun/2022 6:40 PM

Labels

Original: advisory advisory-to-release dont-import hot-jira-fixed security

New: advisory advisory-to-release dont-import security

Brian Adeloye (Inactive) made changes - 05/May/2022 6:33 PM

Description

Original: (i) *Updates*

2022/04/25 11:40 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following app is no longer supported:
** Feedback for Jira - Forms for website

2022/04/22 12:30 PM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** VCAP - Video Capture for Jira Service Management
** Who deleted my issues

2022/04/21 11:50 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** Calendar for Jira
** Dependent Select List
** Smart Checklist for Jira. Pro

----
Jira Service Management Server and Data Center vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify {{roles-required}} at the {{webwork1}} action namespace level and do not specify it at an {{action}} level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

For more information on potentially affected apps, please refer to the _Determining which apps are affected_ section in [Atlassian's security advisory|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20].

A remote, unauthenticated attacker could exploit this by requesting a specially crafted URL to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

*This vulnerability was discovered by Khoadha of Viettel Cyber Security.*

*Affected versions:*
* version < 4.13.18
* 4.14.0 ≤ version < 4.20.6
* 4.21.0 ≤ version < 4.22.0

*Fixed versions:*
* 4.13.x >= 4.13.18
* 4.20.x >= 4.20.6
* All versions >= 4.22.0

*References*

[Jira Security Advisory 2022-04-20|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20]

New: (i) *Updates*

2022/05/05 11:30 AM PDT
* Updated the List of affected Atlassian Marketplace Apps section to note the following apps have non-vulnerable updates available:
** Secure Code Warrior® for Jira
** Simple Tasklists
** Simple Team Pages for Jira
** UiPath Test Manager for Jira
** Xporter - Export issues from Jira

2022/04/25 11:40 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following app is no longer supported:
** Feedback for Jira - Forms for website

2022/04/22 12:30 PM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** VCAP - Video Capture for Jira Service Management
** Who deleted my issues

2022/04/21 11:50 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** Calendar for Jira
** Dependent Select List
** Smart Checklist for Jira. Pro

----
Jira Service Management Server and Data Center vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify {{roles-required}} at the {{webwork1}} action namespace level and do not specify it at an {{action}} level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

For more information on potentially affected apps, please refer to the _Determining which apps are affected_ section in [Atlassian's security advisory|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20].

A remote, unauthenticated attacker could exploit this by requesting a specially crafted URL to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

*This vulnerability was discovered by Khoadha of Viettel Cyber Security.*

*Affected versions:*
* version < 4.13.18
* 4.14.0 ≤ version < 4.20.6
* 4.21.0 ≤ version < 4.22.0

*Fixed versions:*
* 4.13.x >= 4.13.18
* 4.20.x >= 4.20.6
* All versions >= 4.22.0

*References*

[Jira Security Advisory 2022-04-20|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20]

Brian Adeloye (Inactive) made changes - 25/Apr/2022 6:43 PM

Description

Original: (i) *Updates*

2022/04/22 12:30 PM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** VCAP - Video Capture for Jira Service Management
** Who deleted my issues

2022/04/21 11:50 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** Calendar for Jira
** Dependent Select List
** Smart Checklist for Jira. Pro

----
Jira Service Management Server and Data Center vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify {{roles-required}} at the {{webwork1}} action namespace level and do not specify it at an {{action}} level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

For more information on potentially affected apps, please refer to the _Determining which apps are affected_ section in [Atlassian's security advisory|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20].

A remote, unauthenticated attacker could exploit this by requesting a specially crafted URL to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

*This vulnerability was discovered by Khoadha of Viettel Cyber Security.*

*Affected versions:*
* version < 4.13.18
* 4.14.0 ≤ version < 4.20.6
* 4.21.0 ≤ version < 4.22.0

*Fixed versions:*
* 4.13.x >= 4.13.18
* 4.20.x >= 4.20.6
* All versions >= 4.22.0

*References*

[Jira Security Advisory 2022-04-20|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20]

New: (i) *Updates*

2022/04/25 11:40 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following app is no longer supported:
** Feedback for Jira - Forms for website

2022/04/22 12:30 PM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** VCAP - Video Capture for Jira Service Management
** Who deleted my issues

2022/04/21 11:50 AM PDT
* Updated the _List of affected Atlassian Marketplace Apps_ section of the [advisory|https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html] to note the following apps have non-vulnerable updates available:
** Calendar for Jira
** Dependent Select List
** Smart Checklist for Jira. Pro

----
Jira Service Management Server and Data Center vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify {{roles-required}} at the {{webwork1}} action namespace level and do not specify it at an {{action}} level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

For more information on potentially affected apps, please refer to the _Determining which apps are affected_ section in [Atlassian's security advisory|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20].

A remote, unauthenticated attacker could exploit this by requesting a specially crafted URL to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

*This vulnerability was discovered by Khoadha of Viettel Cyber Security.*

*Affected versions:*
* version < 4.13.18
* 4.14.0 ≤ version < 4.20.6
* 4.21.0 ≤ version < 4.22.0

*Fixed versions:*
* 4.13.x >= 4.13.18
* 4.20.x >= 4.20.6
* All versions >= 4.22.0

*References*

[Jira Security Advisory 2022-04-20|https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20]

Security Metrics Bot made changes - 24/Apr/2022 8:28 PM

CVE ID

New: CVE-2022-0540

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 23/Mar/2022 12:59 AM

Updated:: 18/Jun/2024 3:44 PM

Resolved:: 20/Apr/2022 4:51 PM

Jira Service Management Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JSDSERVER-11224] Authentication Bypass in Jira Seraph - CVE-2022-0540

People

Dates

Backbone Issue Sync