Atlassian released a security advisory for Jira and Jira Service Management, regarding an auth bypass vulnerability in its web authentication framework, Jira Seraph.
The vulnerability actually relies in the core of Jira, affecting first and third-party apps that specify roles-required at the webwork1 action name space level and do not specify it at an action level.
Jira on its own is not vulnerable, but if installed plugins that leverage the particular functionality creates the vulnerability. Uers with some of the vulnerable plugins include that enabled by default, specifically the Mobile Application for Jira add on.
A remote attacker can exploit a vulnerability tracked as CVE-2022-0540 in affected Server and Data Center versions of Jira and Jira Service Management by requesting a specially crafted URL which bypasses authentication and authorization requirements in WebWork actions. Atlassian rates this vulnerability as critical.
The affected versions of Jira Core Server, Jira Software Server, and Jira Software Data Center are:
- All versions before 8.13.18
- 8.20.x before 8.20.6
Fixed Jira versions
Affected Jira Service Management versions
The affected versions of Jira Service Management Server and Jira Service Management Data Center are:
- All versions before 4.13.18
- 4.20.x before 4.20.6
Fixed Jira Service Management versions
Two of the applications that can result in a vulnerable configuration are Atlassian plugins which are included by default in Jira and Jira service management Insight Asset Management for Jira Service Management, which has been included in all versions of JSM since version 4.15.0 and Mobile Plugin for Jira which has been included in all 8.x releases of Jira and 4.x releases of Jira Service Management.
Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your instance are protected against CVE-2022-0540 and no further action is required.
If you cannot upgrade Jira or Jira Service Management, you can take one of the following actions
- Upgrade vulnerable plugins to non-impacted versions.
- Disable vulnerable plugins – note that this will remove provided functionality and should be considered a worst-case option. For JSM, disabling Insight Asset Management may have the further impact of removing all service management functionality.