{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-031.pdf"
    },
    "title": "Jira Authentication Bypass Vulnerability",
    "serial_number": "2022-031",
    "publish_date": "26-04-2022 14:42:00",
    "description": "On April 20th, Atlassian published a security advisory for a critical vulnerability in the Jira and Jira Service Management products, that are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. This vulnerability is tracked as CVE-2022-0540, with a severity score of 9.9 out of 10 on the CVSS scoring system. Atlassian has released software updates that address this vulnerability.",
    "url_title": "2022-031",
    "content_markdown": "---\ntitle: 'Jira Authentication Bypass Vulnerability'\nversion: '1.0'\nnumber: '2022-031'\ndate: 'April 26, 2022'\n---\n\n_History:_\n\n* _26/04/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn April 20th, Atlassian published a security advisory for a critical vulnerability in the Jira and Jira Service Management products, that are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. This vulnerability is tracked as **CVE-2022-0540**, with a severity score of 9.9 out of 10 on the CVSS scoring system. Atlassian has released software updates that address this vulnerability [1].\n\n# Technical Details\n\n## CVE-2022-0540 (CVSS: Critical 9.9) \n\nA remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.\n\nAtlassian specifies that remote attackers can only compromise the impacted products if they use a specific configuration in Seraph, which is described as follows:\n\n_\"Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.\"_\n\nFor an app to be affected by CVE-2022-0540, both of the following conditions must be true:\n\n- it is installed in one of the affected Jira or Jira Service Management versions listed below,\n- it is using a configuration vulnerable to CVE-2022-0540.\n\n# Products Affected\n\n## Affected Jira Versions\n\nThis includes **Jira Core Server**, **Jira Software Server** and **Jira Software Data Center**\n\n- All versions before 8.13.18\n- 8.14.x\n- 8.15.x\n- 8.16.x\n- 8.17.x\n- 8.18.x\n- 8.19.x\n- 8.20.x before 8.20.6\n- 8.21.x\n\n## Affected Jira Service Management Versions\n\nThis includes **Jira Service Management Server** and **Jira Service Management Data Center**\n\n- All versions before 4.13.18\n- 4.14.x\n- 4.15.x\n- 4.16.x\n- 4.17.x\n- 4.18.x\n- 4.19.x\n- 4.20.x before 4.20.6\n- 4.21.x\n\n# Recommendations\n\nAtlassian recommends installing a fixed version of Jira or Jira Service Management to remediate CVE-2022-0540.\n\n## Fixed Jira Versions:\n\n- 8.13.x >= 8.13.18\n- 8.20.x >= 8.20.6\n- All versions >= 8.22.0\n\n## Fixed Jira Service Management Versions\n\n- 4.13.x >= 4.13.18\n- 4.20.x >= 4.20.6\n- All versions >= 4.22.0\n\n## Workarounds\n\nIf it is not possible to update to one of the versions above and you are using any affected apps, Atlassian recommends updating the affected apps to a version that has remediated the risk, or disabling the vulnerable apps until patching is possible.\n\n# References\n\n[1] <https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/04/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On April 20th, Atlassian published a security advisory for a critical vulnerability in the Jira and Jira Service Management products, that are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. This vulnerability is tracked as <strong>CVE-2022-0540</strong>, with a severity score of 9.9 out of 10 on the CVSS scoring system. Atlassian has released software updates that address this vulnerability [1].</p><h2 id=\"technical-details\">Technical Details</h2><h3 id=\"cve-2022-0540-cvss-critical-99\">CVE-2022-0540 (CVSS: Critical 9.9)</h3><p>A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.</p><p>Atlassian specifies that remote attackers can only compromise the impacted products if they use a specific configuration in Seraph, which is described as follows:</p><p><em>\"Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.\"</em></p><p>For an app to be affected by CVE-2022-0540, both of the following conditions must be true:</p><ul><li>it is installed in one of the affected Jira or Jira Service Management versions listed below,</li><li>it is using a configuration vulnerable to CVE-2022-0540.</li></ul><h2 id=\"products-affected\">Products Affected</h2><h3 id=\"affected-jira-versions\">Affected Jira Versions</h3><p>This includes <strong>Jira Core Server</strong>, <strong>Jira Software Server</strong> and <strong>Jira Software Data Center</strong></p><ul><li>All versions before 8.13.18</li><li>8.14.x</li><li>8.15.x</li><li>8.16.x</li><li>8.17.x</li><li>8.18.x</li><li>8.19.x</li><li>8.20.x before 8.20.6</li><li>8.21.x</li></ul><h3 id=\"affected-jira-service-management-versions\">Affected Jira Service Management Versions</h3><p>This includes <strong>Jira Service Management Server</strong> and <strong>Jira Service Management Data Center</strong></p><ul><li>All versions before 4.13.18</li><li>4.14.x</li><li>4.15.x</li><li>4.16.x</li><li>4.17.x</li><li>4.18.x</li><li>4.19.x</li><li>4.20.x before 4.20.6</li><li>4.21.x</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Atlassian recommends installing a fixed version of Jira or Jira Service Management to remediate CVE-2022-0540.</p><h3 id=\"fixed-jira-versions\">Fixed Jira Versions:</h3><ul><li>8.13.x &gt;= 8.13.18</li><li>8.20.x &gt;= 8.20.6</li><li>All versions &gt;= 8.22.0</li></ul><h3 id=\"fixed-jira-service-management-versions\">Fixed Jira Service Management Versions</h3><ul><li>4.13.x &gt;= 4.13.18</li><li>4.20.x &gt;= 4.20.6</li><li>All versions &gt;= 4.22.0</li></ul><h3 id=\"workarounds\">Workarounds</h3><p>If it is not possible to update to one of the versions above and you are using any affected apps, Atlassian recommends updating the affected apps to a version that has remediated the risk, or disabling the vulnerable apps until patching is possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html\">https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}