Atlassian patches auth bypass in Seraph

Atlassian’s Jira and Jira Service Framework have an authentication bypass that can be inherited by third-party apps.

The bug, discovered by Khoadha of Viettel Cyber Security, occurs in the company’s Seraph pluggable J2EE web application security framework.

Atlassian products affected by CVE-2022-0540 include the Jira Core Server, Software Server, Software Data Center, Jira Service Management Server, and Jira Service Management Data Center.

The cloud versions of Jira and Jira Service Management are not affected.

“A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorisation requirements in WebWork actions using an affected configuration,” the company said in its advisory. 

The notice continued: “it affects first and third-party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.”

Two bundled apps from Atlassian are affected: the Mobile Plugin for Jira, and Insight – Asset Management. Standalone versions of Insight – Asset Management older than 8.10.0 are also affected.

In an FAQ, the company said a large number of third-party apps were affected, and consequently, it contacted those third parties to give them a chance to fix their apps before it published its advisory.

More than 200 Atlassian market place apps are affected, including Calendar for Jira, Smart Checklins for Jira Pro, and Dependent Select List.

The company noted that once a customer has installed a fixed version of Jira or Jira Service Management, “all apps in your instance are protected against CVE-2022-0540 and no further action is required."