April 25, 2024

Atlassian released a security advisory for Jira and Jira Service Management, regarding an auth bypass vulnerability in its web authentication framework, Jira Seraph.

The vulnerability actually relies in the core of Jira, affecting first and third-party apps that specify roles-required at the webwork1 action name space level and do not specify it at an action level.

Jira on its own is not vulnerable, but if installed plugins that leverage the particular functionality creates the vulnerability. Uers with some of the vulnerable plugins include that enabled by default, specifically the Mobile Application for Jira add on.

Advertisements

A remote attacker can exploit a vulnerability tracked as CVE-2022-0540 in affected Server and Data Center versions of Jira and Jira Service Management by requesting a specially crafted URL which bypasses authentication and authorization requirements in WebWork actions. Atlassian rates this vulnerability as critical.

Affected Versions

The affected versions of Jira Core Server, Jira Software Server, and Jira Software Data Center are:

  • All versions before 8.13.18
  • 8.14.x
  • 8.15.x
  • 8.16.x
  • 8.17.x
  • 8.18.x
  • 8.19.x
  • 8.20.x before 8.20.6
  • 8.21.x

Fixed Jira versions

  • 8.13.18
  • 8.20.6
  • 8.22.0

Affected Jira Service Management versions

The affected versions of Jira Service Management Server and Jira Service Management Data Center are:

  • All versions before 4.13.18
  • 4.14.x
  • 4.15.x
  • 4.16.x
  • 4.17.x
  • 4.18.x
  • 4.19.x
  • 4.20.x before 4.20.6
  • 4.21.x

Fixed Jira Service Management versions

  • 4.13.18
  • 4.20.6
  • 4.22.0

Affected Apps

Two of the applications that can result in a vulnerable configuration are Atlassian plugins which are included by default in Jira and Jira service management  Insight Asset Management for Jira Service Management, which has been included in all versions of JSM since version 4.15.0 and Mobile Plugin for Jira which has been included in all 8.x releases of Jira and 4.x releases of Jira Service Management.

Mitigation steps

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your instance are protected against CVE-2022-0540 and no further action is required.

Advertisements

If you cannot upgrade Jira or Jira Service Management, you can take one of the following actions

  • Upgrade vulnerable plugins to non-impacted versions.
  • Disable vulnerable plugins – note that this will remove provided functionality and should be considered a worst-case option. For JSM, disabling Insight Asset Management may have the further impact of removing all service management functionality.
Tags:

1 thought on “Atlassian released updates for Jira Seraph

  1. Pingback: Atlassian Jira SSRF Vulnerability - TheCyberThrone

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

CrushFTP Zeroday Vulnerability Exploited in Wild attack

April 21, 2024

TheCyberThrone Security Week In Review – April 20, 2024

April 21, 2024

MITRE Breached Exploiting Ivanti Zeroday

April 20, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading