Cyber Security researchers have disclosed a critical authentication bypass vulnerability in multiple Jira products. The vulnerability is assigned a CVE ID CVE-2022-0540 with a CVSS score of 79.9, which is Critical in severity and is an authentication bypass vulnerability in Jira Seraph, a web authentication framework for Jira and Jira Service Management. The successful exploitation of the flaw could allow a remote, unauthenticated attacker to bypass authentication and authorization requirements in the web authentication framework on the affected version of Jira products. It is important to learn how to fix CVE-2022-0540 a critical authentication bypass vulnerability in Jira Seraph web authentication framework. Let’s get started.
Table of Contents
About Jira Seraph:
Jira Seraph is an open-source security management tool that can be used to help secure Jira installations. Jira Seraph provides a number of features to help Jira administrators harden their Jira instance and protect it from attack. Jira Seraph is available as a plugin for Jira versions 6.0 and above.
Summary Of CVE-2022-0540:
As we said earlier, this is an authentication bypass vulnerability in the Jira Seraph web authentication framework. The security researcher Khoadha from Viettel Cyber Security team says “this flaw could be exploited by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.”
The severity level of this vulnerability, as determined by Atlassian, is critical. However, if the concerned program utilizes extra permission checks, the severity level may differ. If you want to know more about the apps affected by this vulnerability, we suggest contacting the respective app vendor on this.
| Associated CVE ID | CVE-2022-0540 |
| Description | A Critical Authentication Bypass Vulnerability in Jira Seraph |
| Associated ZDI ID | – |
| CVSS Score | 9.9 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (a) | Low |
Jira Products Affected By CVE-2022-0540:
This flaw affects multiple Jira Products and multiple its versions.
Jira Products Affected By CVE-2022-0540:
Jira Core Server, Jira Software Server and Jira Software Data Center.Versions:
- All versions before 8.13.18
- 8.14.x
- 8.15.x
- 8.16.x
- 8.17.x
- 8.18.x
- 8.19.x
- 8.20.x before 8.20.6
- 8.21.x
Jira Service Management Products Affected Are:
Jira Service Management Server and Jira Service Management Data Center.Versions:
- All versions before 4.13.18
- 4.14.x
- 4.15.x
- 4.16.x
- 4.17.x
- 4.18.x
- 4.19.x
- 4.20.x before 4.20.6
- 4.21.x
Third-Party Apps Vulnerable To The Flaw Are:
The report has left a note that says the flaw affects first and third-party apps too if they are installed on any one of the affected Jira or Jira Service Management versions and the Jira products use a configuration vulnerable to the CVE-2022-0540 vulnerability.
Atlassian has found that Atlassian Marketplace apps are vulnerable to CVE-2022-0540. If you’re using an app that isn’t listed on the Atlassian Marketplace, please contact the developer and find out whether it’s susceptible to the same vulnerability. List of affected apps:
- Versions 8.x and earlier are available from the Atlassian Marketplace
- Versions 9.x are bundled with Jira Service Management Server and Data Center 4.15.0 and later
- Bundled with Jira Server, Jira Software Server and Data Center 8.0.0 and later
- Bundled with Jira Service Management Server and Data Center 4.0.0 and later
You can get a comprehensive list of apps from here.
How To Fix CVE-2022-0540- A Critical Authentication Bypass Vulnerability In Jira Seraph?
Atlassian, the Vendor of Jira products has responded to the vulnerability and released fixed versions of the Jira products. We recommend you to upgrade all your Jira products to the version fixed or the latest.
Fixed Jira Versions
- 8.13.x >= 8.13.18
- 8.20.x >= 8.20.6
- All versions >= 8.22.0
Fixed Jira Service Management Versions
- 4.13.x >= 4.13.18
- 4.20.x >= 4.20.6
- All versions >= 4.22.0
The upgradation will also protect all the first and third-party apps too. Once you upgrade your Jira products to the fixed version, all the apps are also protected against the flaw.
If in case you are not in a position to upgrade your Jira products and you have a vulnerable version of the third-party apps running. It is recommended to upgrade the apps to the fixed version. If in case you have a long list of apps to upgrade, we suggest disabling the apps and going with the upgradation of the Jira products.
List of apps shared by the Vendor. Please don’t forget to visit this site for further updates.
| App Name | Affected Versions | Notes |
|---|---|---|
| Activity for Jira | Versions < 2.3.0 | |
| Activity Timeline: Resource Planning & Time Tracking | Versions < 9.1.4 | |
| Alfresco connector for Jira | Versions < 1.15.3-8 | |
| Agile Tools & Filters for Jira Software | Versions < 4.0.12 | |
| Agile User Story Map & Product Roadmap for Jira | Versions < 6.4.1 | |
| ?? Alert Catcher – Jira integration with Zabbix SIEM | Versions < 2.0.10 | |
| aqua – Test Management & Automation | All versions | |
| ARCAD For Jira | All versions | |
| Atlas CRM – Customers and Sales in Jira | Versions < 1.9.10 | |
| Automated Log Work for Jira | Versions < 6.9.5 | |
| AutoPage – Automated Page Creation | Versions < 2.15.0 | |
| BDQ Migration Analyst for Jira Cloud | Versions < 1.0.2 | |
| Calculated and other custom fields(JBCF) for Jira DC/Cloud | Versions < 3.1.3 | |
| Calendar for Jira | Versions < 3.6.2 | The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540 |
| ?? Cisco Finesse integration for Jira | Versions < 1.0.7 | |
| CodeRunner PRO | All versions | |
| Comala Agile Ranking | Versions < 1.6.0 | |
| Comala Canvas for Jira | Versions < 3.0.5 | |
| Comment History for Jira | Versions < 2.2.1 | |
| Comment Security Default | Versions < 4.0.1 | |
| Connector for Salesforce and Jira Server | Versions < 1.14.1-8 | |
| Control Freak | Versions < 1.0.7 | |
| Cross filters matrix | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Custom Select List | All versions | |
| Customfield Editor for Jira | Versions < 2.13.1 | |
| Customizable Announcements for Jira | Versions < 2.2.0 | |
| Decision Tables for Jira | Versions < 1.2.10 | |
| Default Values for ‘Create Issue’ screen | Versions < 4.2.8 | |
| Delegating group management | Versions < 3.0.6 | |
| Denkplan Portfolio Map for Jira | Versions < 2.2.0 | |
| Dependent Select List | Versions < 2.4 | |
| Display linked issues | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Document Vault for Jira | Versions < 5.2.1 | |
| e Matrix | Versions < 3.1.2 | |
| Easy Field Template | All versions | |
| Eclipse BIRT for SQL+JQL | Versions < 3.6.6 | |
| EduBrite LMS for Jira Service Management | Versions < 3.41.12 | |
| Elevator – Smart Issue Assignment | Versions < 3.10.2 | |
| Encryption for Jira | Versions < 1.7.21 | |
| Enterprise Mail Handler for Jira (JEMH) | Server versions < 3.3.86-serverData Center versions < 3.3.85-dc | |
| Epic watcher | Versions < 1.0.2 | |
| Excel-like Issue Editor for Jira – Embed Spreadsheet & Table | Versions < 1.17.1.1 | |
| excentia Admin Tools for Jira | Versions < 2.13.2 | |
| Extender for Jira | Versions < 2.16.0 | |
| Feedback for Jira – Forms for website | All versions | |
| Field Hide for Jira | All versions | |
| Field Hide for Jira – Lite | All versions | |
| Figma for Jira | Versions < 2.2.2 | |
| Flexible Calendar for Jira | Versions < 2.9.2 | |
| Frontu Field Service Management Add-on | All versions | |
| Gamification for Jira | All versions | |
| GDPR (DSGVO) and Security for Jira | Versions < 1.18.1 | |
| Gears desk for Jira | Versions < 2.4.3 | |
| Gears issue export permission | Versions < 2.4.1 | |
| Gears Lock manager for jira | Versions < 1.3.1 | |
| Gears Properties Manager | Versions < 1.5.1 | |
| Gears Usage Statistics for jira | Versions < 1.4.2 | |
| Gears worklog-restricted for Jira | All versions | |
| Git Integration for Jira | Versions < 4.2.1 | |
| Google Analytics for Jira | All versions | |
| Group Ambassadors | Versions < 2.4.1 | |
| Groups Plus – Attributes and delegated management | Versions < 1.0.3.15 | |
| Home Directory, Database & Log Browser for Jira | Versions < 1.34.1 | |
| ID Generator for Jira | All versions | |
| Import Export for Jira + Structure – Microsoft Project | Versions < 1.4.6 | |
| Insight – Asset Management | Versions < 8.10.0 All 9.x versions |
Bundled with Jira Service Management 4.15 and later. Customers using Jira Service Management 4.15.0 or later cannot install Insight 8.10.0 via UPM, and should install one of the updated versions of Jira Service Management noted in this advisory or see the Workarounds section below. An authenticated attacker with object schema manager permissions could exploit this vulnerability to execute arbitrary code. |
| InstaPrinta – Print Jira Issues directly | Versions < 2.9.0 | |
| iridion for JIRA | All versions | |
| Issue Actions Todo | Versions < 3.1.1 | |
| Issue Linked Event for Jira | Versions < 1.12.0 | |
| Issue Search Customiser for Jira | Versions < 1.3.4 | |
| Issues Toolbox for Jira | Versions < 2.1.2 | |
| It’s a Feature, Not a Bug | All versions | |
| J2J Issue Sync | All versions | |
| Jenkins Integration for Jira | Versions < 5.8.0 | |
| Jenkins Integration for Jira – Lite | Versions < 5.8.0 | |
| Jira Misc Custom Fields (JMCF) | Versions < 2.4.6 | |
| Jira Misc Workflow Extensions (JMWE) | Versions < 7.1.4 | |
| Jira Workflow Toolbox | Versions < 3.1.5 | |
| JsIncluder | All versions | |
| Label Manager for Jira | Versions < 4.7.8 | |
| Legal for Jira | All versions | This app is no longer supported and has been archived. |
| Log Tailer for Jira | Versions < 1.2.3 | |
| Lync and Skype Connector for Jira | All versions | |
| Message field | Versions < 4.6.6 | |
| Metadata for Jira | Versions < 4.8.6 | The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540 |
| Microfocus Dimensions CM Integration | All versions | |
| ML1 | All versions | |
| Mobile Plugin for Jira Data Center and Server | Versions < 3.2.14 | Bundled with Jira and JSM Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540 |
| MOCO Time Tracking for Jira | Versions < 1.3.5 | |
| Multiple Checklists for Jira | Versions < 1.17.2 | |
| My Secret Santa for Jira | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| My Service Portal | Versions < 2.1.14.20220412102158 | |
| My.com Calendar | Versions < 4.2.1 | |
| Namo Crosseditor For Jira | Versions < 1.0.13 | |
| Notify Watcher | Versions < 1.7.2 | |
| NotifyMe! – Send emails from Jira issues | Versions < 2.0.12 | |
| One-time Link | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Organizations Automation | Versions < 2.10.2 | |
| PageMe! – Create Pages from Jira Issues | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Performance Objectives: Charts for Jira | Versions < 22.4.4 | |
| PractiTest Test Management for Jira | All versions | |
| Prevent Anonymous Access | Versions < 3.1.0 | |
| ProScheduler: Resource Planning & Gantt – Project Management | Versions < 4.1.0 | |
| Project Archiver for Jira | Versions < 1.4.0 | |
| Project Budget for Jira | Versions < 1.2.0 | |
| Project Creator | All versions | |
| Project Documents for Jira | Versions < 3.9.1 | |
| Project Specific Select Field | Versions < 3.0.2 | |
| Project User Manager (PUM) | Versions < 1.2.5 | |
| Projectrak – Project Tracking for Jira | Versions < 8.8.2 | |
| Projektron BCS Connector for Jira | All versions | |
| QA Craft Test Management for Jira | Server versions < 4.1.20Data Center versions < 4.1.21 | |
| QAlity – Test Management for Jira | All versions | |
| QAlity Plus – Test Management for Jira | All versions | |
| Quality Tiger – Test Management for Jira | All versions | |
| Quick Subtasks for Jira | All versions | |
| Raley Favourites for Jira | Versions < 1.1.1 | |
| ReceiveMe! – Email handler for Jira | Versions < 2.0.17 | |
| Refined for Jira | Sites & Themes | Versions 3.3.x < 3.3.4Versions < 3.2.21 | |
| RemindMe for Jira | Versions < 1.3.5 | |
| Report Builder | Versions < 3.9.1 | |
| Run CLI Actions in Jira | Versions < 10.2.1 | |
| SCIM User Provisioning for Jira | Versions < 2.7.1 | |
| Search by workflows | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Secure Admin for Jira | Versions < 3.4.2 | |
| Secure Code Warrior® for Jira | All versions | |
| Security Attachment Manager for Jira | Versions < 1.0.8 | |
| Security Fields and Attachments | All versions | |
| Service Desk Menu for Jira | Versions < 1.4.0 | |
| SharedManager | All versions | |
| Sign Off Plugin for Jira | Versions < 1.2.0 | |
| SIL Groovy Connector | Versions < 1.1.8 | |
| Simple Tasklists | All versions | |
| Simple Team Pages for Jira | All versions | |
| Simple notifications for Jira | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| SLA | All versions | |
| Smart Checklist for Jira. Pro | Versions < 5.6.1 | |
| Smart Issue Analyzer for Jira | All versions | |
| Smart Issue Analyzer for Jira Align | All versions | |
| Smart Issue Templates for Jira | Versions < 1.11.13 | |
| Sprint Capacity Planning & Tracking | All versions | |
| SQL+JQL Driver: Transform JQL into SQL | Versions < 9.11.3 | |
| Status History | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Status History PRO | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Status update reminder for Jira | Versions < 1.0.4 | |
| STM for Jira | Versions < 4.4.5 | |
| Story Mapping for Jira – Pro | Versions < 3.1.0 | |
| SU for Jira | Versions < 1.14.0 | |
| Subversion ALM | Versions < 9.3.4 | |
| sumUp for Jira | Versions < 3.6.6 | |
| swarmOS Analyzer | All versions | |
| Switch to User + Delegating SU (Jira) | Versions < 1.5.2 | |
| Sync Sub-Tasks to Parent | All versions | |
| Team Trax: Vacation, holidays, sick leaves tracker for Jira | All versions | The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540 |
| Teamworkx Issue Picker for Jira | Versions < 8.7.8 | |
| Teamworkx Issue Publisher for Jira | Versions < 12.5.1 | |
| Teamworkx OTRS Integration for Jira | Versions < 70.40.10.0 | |
| Teamworkx Push and Pull Favorites | Versions < 7.0.11.9 | |
| Telegram Bot | All versions | |
| Template Manager | Versions < 1.4 | |
| TemplateMe! – Customized notifications | Versions < 2.8 | |
| Terms and Conditions for Jira | Versions < 2.1.0-5 | |
| Testlab for Jira | All versions | |
| Time in status | SLA | Timer | Stopwatch for Jira DC/Cloud | Versions < 5.4.2 | |
| Timeline | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Timeline for Jira | Versions < 2.0.4 | The app vendor notes that all affected actions for versions < 2.0.4 enforce additional permission checks that are not vulnerable to CVE-2022-0540 |
| Timetracker – Time Tracking & Reporting | Versions < 4.9.8 | |
| TodoMe Connector (Jira) | All versions | |
| TodoMe for Jira | All versions | |
| ToDos for Jira Issues | All versions | |
| Translate Field Options for Jira | Versions < 1.3.6 | |
| Translator for Jira | All versions | |
| Trophy – gamification for Jira | Versions < 1.0.4 | |
| UiPath Test Manager for Jira | All versions | |
| URL Restrictions for Jira | Versions < 1.0.7 | |
| User Anonymizer for Jira (GDPR) | Versions < 2.0.5 | |
| User Availability Tracker for Jira | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| User Management by Project Administrator | Versions < 82000.1.14 | |
| User Mention Groups for the Richtext Editor | All versions | |
| User Picker Avatar for Jira | Versions < 3.5.0 | |
| User Profiles for Jira | Versions < 2.4.5 | |
| User Switcher for Jira | Versions < 3.1.1 | |
| VCAP – Video Capture for Jira Service Management | Versions < 1.0.2 | |
| Version & Component Sync for Jira | Versions < 2.9.7 | |
| VIP.LEAN TOOLS – Advanced Links | Versions < 1.1.4 | |
| vLinks – Easy Issue Linking | Versions < 2.3.2-25ca8af | |
| Watch It for Jira | Versions < 3.1.2 | |
| WBS Gantt-Chart for Jira | Versions < 9.14.4.1 | |
| Whiteboards for Jira: team collaboration | Versions < 1.51.2 | |
| Who deleted my issues | Versions < 3.0.0 | |
| Workflow Magic Box | Versions < 1.12-RELEASE | |
| Worklog History PRO | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
| Worklog express | Versions < 8.5.5-SNAPSHOT | |
| Worklogs – Time Tracking and Reports | Versions < 1.4.3 | |
| xCharts – Custom Charts & Reports for Jira | Versions < 1.7.8 | |
| xPort – Custom Worklog Export for Jira | Versions < 1.2.1 | |
| Xporter – Export issues from Jira | All versions | The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira. |
We hope this post will help you know How To Fix CVE-2022-0540- A Critical Authentication Bypass Vulnerability in Jira Seraph. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/270209.html