• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-0540- A Critical Authentication Bypass Vulnerability In Jira Seraph
How To Fix CVE-2022-0540- A Critical Authentication Bypass Vulnerability in Jira Seraph

Cyber Security researchers have disclosed a critical authentication bypass vulnerability in multiple Jira products. The vulnerability is assigned a CVE ID CVE-2022-0540 with a CVSS score of 79.9, which is Critical in severity and is an authentication bypass vulnerability in Jira Seraph, a web authentication framework for Jira and Jira Service Management. The successful exploitation of the flaw could allow a remote, unauthenticated attacker to bypass authentication and authorization requirements in the web authentication framework on the affected version of Jira products. It is important to learn how to fix CVE-2022-0540 a critical authentication bypass vulnerability in Jira Seraph web authentication framework. Let’s get started.

About Jira Seraph:

Jira Seraph is an open-source security management tool that can be used to help secure Jira installations. Jira Seraph provides a number of features to help Jira administrators harden their Jira instance and protect it from attack. Jira Seraph is available as a plugin for Jira versions 6.0 and above.

Summary Of CVE-2022-0540:

As we said earlier, this is an authentication bypass vulnerability in the Jira Seraph web authentication framework. The security researcher Khoadha from Viettel Cyber Security team says “this flaw could be exploited by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.”

The severity level of this vulnerability, as determined by Atlassian, is critical. However, if the concerned program utilizes extra permission checks, the severity level may differ. If you want to know more about the apps affected by this vulnerability, we suggest contacting the respective app vendor on this.

Associated CVE IDCVE-2022-0540
DescriptionA Critical Authentication Bypass Vulnerability in Jira Seraph
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
Availability (a)Low

Jira Products Affected By CVE-2022-0540:

This flaw affects multiple Jira Products and multiple its versions.

Jira Products Affected By CVE-2022-0540:

Jira Core Server, Jira Software Server and Jira Software Data Center.Versions:

  • All versions before 8.13.18
  • 8.14.x
  • 8.15.x
  • 8.16.x
  • 8.17.x
  • 8.18.x
  • 8.19.x
  • 8.20.x before 8.20.6
  • 8.21.x

Jira Service Management Products Affected Are:

Jira Service Management Server and Jira Service Management Data Center.Versions:

  • All versions before 4.13.18
  • 4.14.x
  • 4.15.x
  • 4.16.x
  • 4.17.x
  • 4.18.x
  • 4.19.x
  • 4.20.x before 4.20.6
  • 4.21.x

Third-Party Apps Vulnerable To The Flaw Are:

The report has left a note that says the flaw affects first and third-party apps too if they are installed on any one of the affected Jira or Jira Service Management versions and the Jira products use a configuration vulnerable to the CVE-2022-0540 vulnerability.

Atlassian has found that Atlassian Marketplace apps are vulnerable to CVE-2022-0540. If you’re using an app that isn’t listed on the Atlassian Marketplace, please contact the developer and find out whether it’s susceptible to the same vulnerability. List of affected apps:

Insight – Asset Management

  • Versions 8.x and earlier are available from the Atlassian Marketplace
  • Versions 9.x are bundled with Jira Service Management Server and Data Center 4.15.0 and later

Mobile Plugin for Jira

  • Bundled with Jira Server, Jira Software Server and Data Center 8.0.0 and later
  • Bundled with Jira Service Management Server and Data Center 4.0.0 and later

You can get a comprehensive list of apps from here.

How To Fix CVE-2022-0540- A Critical Authentication Bypass Vulnerability In Jira Seraph?

Atlassian, the Vendor of Jira products has responded to the vulnerability and released fixed versions of the Jira products. We recommend you to upgrade all your Jira products to the version fixed or the latest.

Fixed Jira Versions

  • 8.13.x >= 8.13.18
  • 8.20.x >= 8.20.6
  • All versions >= 8.22.0

Fixed Jira Service Management Versions

  • 4.13.x >= 4.13.18
  • 4.20.x >= 4.20.6
  • All versions >= 4.22.0

The upgradation will also protect all the first and third-party apps too. Once you upgrade your Jira products to the fixed version, all the apps are also protected against the flaw.

If in case you are not in a position to upgrade your Jira products and you have a vulnerable version of the third-party apps running. It is recommended to upgrade the apps to the fixed version. If in case you have a long list of apps to upgrade, we suggest disabling the apps and going with the upgradation of the Jira products.

List of apps shared by the Vendor. Please don’t forget to visit this site for further updates.

App NameAffected VersionsNotes
Activity for JiraVersions < 2.3.0
Activity Timeline: Resource Planning & Time TrackingVersions < 9.1.4
Alfresco connector for JiraVersions < 1.15.3-8
Agile Tools & Filters for Jira SoftwareVersions < 4.0.12
Agile User Story Map & Product Roadmap for JiraVersions < 6.4.1
🇺🇦 Alert Catcher – Jira integration with Zabbix SIEMVersions < 2.0.10
aqua – Test Management & AutomationAll versions
ARCAD For JiraAll versions
Atlas CRM – Customers and Sales in JiraVersions < 1.9.10
Automated Log Work for JiraVersions < 6.9.5
AutoPage – Automated Page CreationVersions < 2.15.0
BDQ Migration Analyst for Jira CloudVersions < 1.0.2
Calculated and other custom fields(JBCF) for Jira DC/CloudVersions < 3.1.3
Calendar for JiraVersions < 3.6.2The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
🇺🇦 Cisco Finesse integration for JiraVersions < 1.0.7
CodeRunner PROAll versions
Comala Agile RankingVersions < 1.6.0
Comala Canvas for JiraVersions < 3.0.5
Comment History for JiraVersions < 2.2.1
Comment Security DefaultVersions < 4.0.1
Connector for Salesforce and Jira ServerVersions < 1.14.1-8
Control FreakVersions < 1.0.7
Cross filters matrixAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Custom Select ListAll versions
Customfield Editor for JiraVersions < 2.13.1
Customizable Announcements for JiraVersions < 2.2.0
Decision Tables for JiraVersions < 1.2.10
Default Values for ‘Create Issue’ screenVersions < 4.2.8
Delegating group managementVersions < 3.0.6
Denkplan Portfolio Map for JiraVersions < 2.2.0
Dependent Select ListVersions < 2.4
Display linked issuesAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Document Vault for JiraVersions < 5.2.1
e MatrixVersions < 3.1.2
Easy Field TemplateAll versions
Eclipse BIRT for SQL+JQLVersions < 3.6.6
EduBrite LMS for Jira Service ManagementVersions < 3.41.12
Elevator – Smart Issue AssignmentVersions < 3.10.2
Encryption for JiraVersions < 1.7.21
Enterprise Mail Handler for Jira (JEMH)Server versions < 3.3.86-serverData Center versions < 3.3.85-dc
Epic watcherVersions < 1.0.2
Excel-like Issue Editor for Jira – Embed Spreadsheet & TableVersions < 1.17.1.1
excentia Admin Tools for JiraVersions < 2.13.2
Extender for JiraVersions < 2.16.0
Feedback for Jira – Forms for websiteAll versions
Field Hide for JiraAll versions
Field Hide for Jira – LiteAll versions
Figma for JiraVersions < 2.2.2
Flexible Calendar for JiraVersions < 2.9.2
Frontu Field Service Management Add-onAll versions
Gamification for JiraAll versions
GDPR (DSGVO) and Security for JiraVersions < 1.18.1
Gears desk for JiraVersions < 2.4.3
Gears issue export permissionVersions < 2.4.1
Gears Lock manager for jiraVersions < 1.3.1
Gears Properties ManagerVersions < 1.5.1
Gears Usage Statistics for jiraVersions < 1.4.2
Gears worklog-restricted for JiraAll versions
Git Integration for JiraVersions < 4.2.1
Google Analytics for JiraAll versions
Group AmbassadorsVersions < 2.4.1
Groups Plus – Attributes and delegated managementVersions < 1.0.3.15
Home Directory, Database & Log Browser for JiraVersions < 1.34.1
ID Generator for JiraAll versions
Import Export for Jira + Structure – Microsoft ProjectVersions < 1.4.6
Insight – Asset ManagementVersions < 8.10.0
All 9.x versions
Bundled with Jira Service Management 4.15 and later.
Customers using Jira Service Management 4.15.0 or later cannot install Insight 8.10.0 via UPM, and should install one of the updated versions of Jira Service Management noted in this advisory or see the Workarounds section below.
An authenticated attacker with object schema manager permissions could exploit this vulnerability to execute arbitrary code.
InstaPrinta – Print Jira Issues directlyVersions < 2.9.0
iridion for JIRAAll versions
Issue Actions TodoVersions < 3.1.1
Issue Linked Event for JiraVersions < 1.12.0
Issue Search Customiser for JiraVersions < 1.3.4
Issues Toolbox for JiraVersions < 2.1.2
It’s a Feature, Not a BugAll versions
J2J Issue SyncAll versions
Jenkins Integration for JiraVersions < 5.8.0
Jenkins Integration for Jira – LiteVersions < 5.8.0
Jira Misc Custom Fields (JMCF)Versions < 2.4.6
Jira Misc Workflow Extensions (JMWE)Versions < 7.1.4
Jira Workflow ToolboxVersions < 3.1.5
JsIncluderAll versions
Label Manager for JiraVersions < 4.7.8
Legal for JiraAll versionsThis app is no longer supported and has been archived.
Log Tailer for JiraVersions < 1.2.3
Lync and Skype Connector for JiraAll versions
Message fieldVersions < 4.6.6
Metadata for JiraVersions < 4.8.6The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Microfocus Dimensions CM IntegrationAll versions
ML1All versions
Mobile Plugin for Jira Data Center and ServerVersions < 3.2.14Bundled with Jira and JSM
Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
MOCO Time Tracking for JiraVersions < 1.3.5
Multiple Checklists for JiraVersions < 1.17.2
My Secret Santa for JiraAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
My Service PortalVersions < 2.1.14.20220412102158
My.com CalendarVersions < 4.2.1
Namo Crosseditor For JiraVersions < 1.0.13
Notify WatcherVersions < 1.7.2
NotifyMe! – Send emails from Jira issuesVersions < 2.0.12
One-time LinkAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Organizations AutomationVersions < 2.10.2
PageMe! – Create Pages from Jira IssuesAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Performance Objectives: Charts for JiraVersions < 22.4.4
PractiTest Test Management for JiraAll versions
Prevent Anonymous AccessVersions < 3.1.0
ProScheduler: Resource Planning & Gantt – Project ManagementVersions < 4.1.0
Project Archiver for JiraVersions < 1.4.0
Project Budget for JiraVersions < 1.2.0
Project CreatorAll versions
Project Documents for JiraVersions < 3.9.1
Project Specific Select FieldVersions < 3.0.2
Project User Manager (PUM)Versions < 1.2.5
Projectrak – Project Tracking for JiraVersions < 8.8.2
Projektron BCS Connector for JiraAll versions
QA Craft Test Management for JiraServer versions < 4.1.20Data Center versions < 4.1.21
QAlity – Test Management for JiraAll versions
QAlity Plus – Test Management for JiraAll versions
Quality Tiger – Test Management for JiraAll versions
Quick Subtasks for JiraAll versions
Raley Favourites for JiraVersions < 1.1.1
ReceiveMe! – Email handler for JiraVersions < 2.0.17
Refined for Jira | Sites & ThemesVersions 3.3.x < 3.3.4Versions < 3.2.21
RemindMe for JiraVersions < 1.3.5
Report BuilderVersions < 3.9.1
Run CLI Actions in JiraVersions < 10.2.1
SCIM User Provisioning for JiraVersions < 2.7.1
Search by workflowsAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Secure Admin for JiraVersions < 3.4.2
Secure Code Warrior® for JiraAll versions
Security Attachment Manager for JiraVersions < 1.0.8
Security Fields and AttachmentsAll versions
Service Desk Menu for JiraVersions < 1.4.0
SharedManagerAll versions
Sign Off Plugin for JiraVersions < 1.2.0
SIL Groovy ConnectorVersions < 1.1.8
Simple TasklistsAll versions
Simple Team Pages for JiraAll versions
Simple notifications for JiraAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
SLAAll versions
Smart Checklist for Jira. ProVersions < 5.6.1
Smart Issue Analyzer for JiraAll versions
Smart Issue Analyzer for Jira AlignAll versions
Smart Issue Templates for JiraVersions < 1.11.13
Sprint Capacity Planning & TrackingAll versions
SQL+JQL Driver: Transform JQL into SQLVersions < 9.11.3
Status HistoryAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Status History PROAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Status update reminder for JiraVersions < 1.0.4
STM for JiraVersions < 4.4.5
Story Mapping for Jira – ProVersions < 3.1.0
SU for JiraVersions < 1.14.0
Subversion ALMVersions < 9.3.4
sumUp for JiraVersions < 3.6.6
swarmOS AnalyzerAll versions
Switch to User + Delegating SU (Jira)Versions < 1.5.2
Sync Sub-Tasks to ParentAll versions
Team Trax: Vacation, holidays, sick leaves tracker for JiraAll versionsThe app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Teamworkx Issue Picker for JiraVersions < 8.7.8
Teamworkx Issue Publisher for JiraVersions < 12.5.1
Teamworkx OTRS Integration for JiraVersions < 70.40.10.0
Teamworkx Push and Pull FavoritesVersions < 7.0.11.9
Telegram BotAll versions
Template ManagerVersions < 1.4
TemplateMe! – Customized notificationsVersions < 2.8
Terms and Conditions for JiraVersions < 2.1.0-5
Testlab for JiraAll versions
Time in status | SLA | Timer | Stopwatch for Jira DC/CloudVersions < 5.4.2
TimelineAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Timeline for JiraVersions < 2.0.4The app vendor notes that all affected actions for versions < 2.0.4 enforce additional permission checks that are not vulnerable to CVE-2022-0540
Timetracker – Time Tracking & ReportingVersions < 4.9.8
TodoMe Connector (Jira)All versions
TodoMe for JiraAll versions
ToDos for Jira IssuesAll versions
Translate Field Options for JiraVersions < 1.3.6
Translator for JiraAll versions
Trophy – gamification for JiraVersions < 1.0.4
UiPath Test Manager for JiraAll versions
URL Restrictions for JiraVersions < 1.0.7
User Anonymizer for Jira (GDPR)Versions < 2.0.5
User Availability Tracker for JiraAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
User Management by Project AdministratorVersions < 82000.1.14
User Mention Groups for the Richtext EditorAll versions
User Picker Avatar for JiraVersions < 3.5.0
User Profiles for JiraVersions < 2.4.5
User Switcher for JiraVersions < 3.1.1
VCAP – Video Capture for Jira Service ManagementVersions < 1.0.2
Version & Component Sync for JiraVersions < 2.9.7
VIP.LEAN TOOLS – Advanced LinksVersions < 1.1.4
vLinks – Easy Issue LinkingVersions < 2.3.2-25ca8af
Watch It for JiraVersions < 3.1.2
WBS Gantt-Chart for JiraVersions < 9.14.4.1
Whiteboards for Jira: team collaborationVersions < 1.51.2
Who deleted my issuesVersions < 3.0.0
Workflow Magic BoxVersions < 1.12-RELEASE
Worklog History PROAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Worklog expressVersions < 8.5.5-SNAPSHOT
Worklogs – Time Tracking and ReportsVersions < 1.4.3
xCharts – Custom Charts & Reports for JiraVersions < 1.7.8
xPort – Custom Worklog Export for JiraVersions < 1.2.1
Xporter – Export issues from JiraAll versionsThe app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.

We hope this post will help you know How To Fix CVE-2022-0540- A Critical Authentication Bypass Vulnerability in Jira Seraph. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.