Critical Security Advisory: Jira and Jira Service Management – Authentication Bypass

Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

A remote, unauthenticated attacker could exploit this by requesting a specially crafted URL to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

An app is only affected by CVE-2022-0540 when both of the following conditions are true:

  • It’s installed in one of the affected Jira or Jira Service Management versions listed above
  • It’s using a configuration vulnerable to CVE-2022-0540

Jira Cloud and Jira Service Management Cloud customers are not affected.

What is the impact of this?

For installations that use apps that have an affected configuration, Atlassian rates the severity level of this vulnerability as critical, though this may vary if an affected app uses additional permissions checks. For more detailed information on the impact to each app listed in the Determining which apps are affected section below, contact the app vendor.

For installations that do not use any apps that have an affected configuration as described in the Summary of Vulnerability section above, Atlassian rates the severity level of this vulnerability as medium.

This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Jira versions

This includes the following products:

  • Jira Core Server
  • Jira Software Server
  • Jira Software Data Center
  • All versions before 8.13.18
  • 8.14.x
  • 8.15.x
  • 8.16.x
  • 8.17.x
  • 8.18.x
  • 8.19.x
  • 8.20.x before 8.20.6
  • 8.21.x

Fixed Jira versions

  • 8.13.18
  • 8.20.6
  • 8.22.0

You can download the latest versions from the download pages for Jira Core or Jira Software.

Please Note: These are the first versions that include the fix for CVE-2022-0540. More current bug fix releases are available for the three releases listed above. Atlassian recommends upgrading to the most current bug fix version.

Affected Jira Service Management versions

This includes the following products:

  • Jira Service Management Server
  • Jira Service Management Data Center
  • All versions before 4.13.18
  • 4.14.x
  • 4.15.x
  • 4.16.x
  • 4.17.x
  • 4.18.x
  • 4.19.x
  • 4.20.x before 4.20.6
  • 4.21.x

Fixed Jira Service Management versions

  • 4.13.18
  • 4.20.6
  • 4.22.0

You can download the latest versions from the download page for Jira Service Management.

Please Note: These are the first versions that include the fix for CVE-2022-0540. More current bug fix releases are available for the three releases listed above. Atlassian recommends upgrading to the most current bug fix version.

Which apps are affected?

An app is only affected by CVE-2022-0540 when both of the following conditions are true:

  • It’s installed in one of the affected Jira or Jira Service Management versions listed above
  • It’s using a configuration vulnerable to CVE-2022-0540

Although app configuration is one factor that determines whether or not it is vulnerable, it is not the cause of the vulnerability. These apps are correctly using documented functionality that was previously implemented by Jira and Jira Service Management in a vulnerable way. If you have already installed a fixed version of Jira or Jira Service Management, you are protected against this vulnerability no matter which apps you have installed.

Atlassian has determined the following apps on Atlassian Marketplace use a configuration vulnerable to CVE-2022-0540. If you are using an app that is not listed on Atlassian Marketplace, please contact the developer to determine if it’s using an affected configuration.

This list includes two Atlassian apps:

  • Insight – Asset Management
    • Versions 8.x and earlier are available from the Atlassian Marketplace
    • Versions 9.x are bundled with Jira Service Management Server and Data Center 4.15.0 and later
  • Mobile Plugin for Jira
    • Bundled with Jira Server, Jira Software Server and Data Center 8.0.0 and later
    • Bundled with Jira Service Management Server and Data Center 4.0.0 and later

Atlassian Marketplace Apps with Configurations Affected by CVE-2022-0540

App Name Affected Versions Notes
Activity for Jira Versions < 2.3.0
Activity Timeline: Resource Planning & Time Tracking Versions < 9.1.4
Alfresco connector for Jira Versions 1.15.3-8
Agile Tools & Filters for Jira Software Versions < 4.0.12
Agile User Story Map & Product Roadmap for Jira Versions < 6.4.1
🇺🇦 Alert Catcher – Jira integration with Zabbix SIEM Versions < 2.0.10
aqua – Test Management & Automation All versions
ARCAD For Jira All versions
Atlas CRM – Customers and Sales in Jira All versions
Automated Log Work for Jira Versions < 6.9.5
AutoPage – Automated Page Creation Versions < 2.15.0
BDQ Migration Analyst for Jira Cloud Versions < 1.0.2
Calculated and other custom fields(JBCF) for Jira DC/Cloud All versions
Calendar for Jira All versions The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
🇺🇦 Cisco Finesse integration for Jira Versions < 1.0.7
CodeRunner PRO All versions
Comala Agile Ranking Versions < 1.6.0
Comala Canvas for Jira All versions
Comment History for Jira Versions < 2.2.1
Comment Security Default Versions < 4.0.1
Connector for Salesforce and Jira Server Versions < 1.14.1-8
Control Freak Versions < 1.0.7
Cross filters matrix All versions
Custom Select List All versions
Customfield Editor for Jira Versions < 2.13.1
Customizable Announcements for Jira All versions
Decision Tables for Jira All versions
Default Values for ‘Create Issue’ screen Versions < 4.2.8
Delegating group management All versions
Denkplan Portfolio Map for Jira All versions
Dependent Select List All versions
Display linked issues All versions
Document Vault for Jira Versions < 5.2.1
e Matrix Versions < 3.1.2
Easy Field Template All versions
Eclipse BIRT for SQL+JQL All versions
EduBrite LMS for Jira Service Management All versions
Elevator – Smart Issue Assignment All versions
Encryption for Jira Versions < 1.7.21
Enterprise Mail Handler for Jira (JEMH) Server versions < 3.3.86-serverData Center versions < 3.3.85-dc
Epic watcher Versions < 1.0.2
Excel-like Issue Editor for Jira – Embed Spreadsheet & Table Versions < 1.17.1.1
excentia Admin Tools for Jira Versions < 2.13.2
Extender for Jira Versions < 2.16.0
Feedback for Jira – Forms for website All versions
Field Hide for Jira All versions
Field Hide for Jira – Lite All versions
Figma for Jira All versions
Flexible Calendar for Jira All versions
Frontu Field Service Management Add-on All versions
Gamification for Jira All versions
GDPR (DSGVO) and Security for Jira Versions < 1.18.1
Gears desk for Jira All versions
Gears issue export permission All versions The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Gears Lock manager for jira All versions
Gears Properties Manager All versions
Gears Usage Statistics for jira All versions The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Gears worklog-restricted for Jira All versions
Git Integration for Jira Versions < 4.2.1
Google Analytics for Jira All versions
Group Ambassadors Versions < 2.4.1
Groups Plus – Attributes and delegated management Versions < 1.0.3.15
Home Directory, Database & Log Browser for Jira Versions < 1.34.1
ID Generator for Jira All versions
Import Export for Jira + Structure – Microsoft Project Versions < 1.4.6
Insight – Asset Management Versions < 8.10.0

All 9.x versions

Bundled with Jira Service Management 4.15 and later.

Customers using Jira Service Management 4.15.0 or later cannot install Insight 8.10.0 via UPM, and should install one of the updated versions of Jira Service Management noted in this advisory or see the Workarounds section below.

An authenticated attacker with object schema manager permissions could exploit this vulnerability to execute arbitrary code.

InstaPrinta – Print Jira Issues directly Versions < 2.9.0
iridion for JIRA All versions
Issue Actions Todo Versions < 3.1.1
Issue Linked Event for Jira Versions < 1.12.0
Issue Search Customiser for Jira Versions < 1.3.4
Issues Toolbox for Jira All versions
It’s a Feature, Not a Bug All versions
J2J Issue Sync All versions
Jenkins Integration for Jira Versions < 5.8.0
Jenkins Integration for Jira – Lite Versions < 5.8.0
Jira Misc Custom Fields (JMCF) All versions
Jira Misc Workflow Extensions (JMWE) All versions
Jira Workflow Toolbox All versions
JsIncluder All versions
Label Manager for Jira Versions < 4.7.8
Legal for Jira All versions This app is no longer supported and has been archived.
Log Tailer for Jira Versions < 1.2.3
Lync and Skype Connector for Jira All versions
Message field All versions
Metadata for Jira Versions < 4.8.6 The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Microfocus Dimensions CM Integration All versions
ML1 All versions
Mobile Plugin for Jira Data Center and Server Versions < 3.2.14 Bundled with Jira and JSM

Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540

MOCO Time Tracking for Jira Versions < 1.3.5
Multiple Checklists for Jira Versions < 1.17.2
My Secret Santa for Jira All versions The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
My Service Portal Versions < 2.1.14.20220412102158
My.com Calendar Versions < 4.2.1
Namo Crosseditor For Jira Versions < 1.0.13
Notify Watcher Versions < 1.7.2
NotifyMe! – Send emails from Jira issues All versions
One-time Link All versions
Organizations Automation All versions
PageMe! – Create Pages from Jira Issues All versions
Performance Objectives: Charts for Jira Versions < 22.4.4
PractiTest Test Management for Jira All versions
Prevent Anonymous Access Versions < 3.1.0
ProScheduler: Resource Planning & Gantt – Project Management Versions < 4.1.0
Project Archiver for Jira Versions < 1.4.0
Project Budget for Jira Versions < 1.2.0
Project Creator All versions
Project Documents for Jira Versions < 3.9.1
Project Specific Select Field Versions < 3.0.2
Project User Manager (PUM) Versions < 1.2.5
Projectrak – Project Tracking for Jira Versions < 8.8.2
Projektron BCS Connector for Jira All versions
QA Craft Test Management for Jira All versions
QAlity – Test Management for Jira All versions
QAlity Plus – Test Management for Jira All versions
Quality Tiger – Test Management for Jira All versions
Quick Subtasks for Jira All versions
Raley Favourites for Jira Versions < 1.1.1
ReceiveMe! – Email handler for Jira All versions
Refined for Jira | Sites & Themes Versions 3.3.x < 3.3.4Versions < 3.2.21
RemindMe for Jira Versions < 1.3.5
Report Builder Versions < 3.9.1
Run CLI Actions in Jira Versions < 10.2.1
SCIM User Provisioning for Jira Versions < 2.7.1
Search by workflows All versions
Secure Admin for Jira Versions < 3.4.2
Secure Code Warrior® for Jira All versions
Security Attachment Manager for Jira Versions < 1.0.8
Security Fields and Attachments All versions
Service Desk Menu for Jira Versions < 1.4.0
SharedManager All versions
Sign Off Plugin for Jira Versions < 1.2.0
SIL Groovy Connector All versions
Simple Tasklists All versions
Simple Team Pages for Jira All versions
Simple notifications for Jira All versions
SLA All versions
Smart Checklist for Jira. Pro All versions
Smart Issue Analyzer for Jira All versions
Smart Issue Analyzer for Jira Align All versions
Smart Issue Templates for Jira All versions
Sprint Capacity Planning & Tracking All versions
SQL+JQL Driver: Transform JQL into SQL All versions
Status History All versions
Status History PRO All versions
Status update reminder for Jira Versions < 1.0.4
STM for Jira Versions < 4.4.5
Story Mapping for Jira – Pro Versions < 3.1.0
SU for Jira Versions < 1.14.0
Subversion ALM All versions
sumUp for Jira All versions
swarmOS Analyzer All versions
Switch to User + Delegating SU (Jira) All versions
Sync Sub-Tasks to Parent All versions
Team Trax: Vacation, holidays, sick leaves tracker for Jira All versions
Teamworkx Issue Picker for Jira Versions < 8.7.8
Teamworkx Issue Publisher for Jira Versions < 12.5.1
Teamworkx OTRS Integration for Jira Versions < 70.40.10.0
Teamworkx Push and Pull Favorites Versions < 7.0.11.9
Telegram Bot All versions
Template Manager All versions
TemplateMe! – Customized notifications All versions
Terms and Conditions for Jira Versions < 2.1.0-5
Testlab for Jira All versions
Time in status | SLA | Timer | Stopwatch for Jira DC/Cloud All versions
Timeline All versions
Timeline for Jira Versions < 2.0.4 The app vendor notes that all affected actions for versions < 2.0.4 enforce additional permission checks that are not vulnerable to CVE-2022-0540
Timetracker – Time Tracking & Reporting Versions < 4.9.8
TodoMe Connector (Jira) All versions
TodoMe for Jira All versions
ToDos for Jira Issues All versions
Translate Field Options for Jira Versions < 1.3.6
Translator for Jira All versions
Trophy – gamification for Jira Versions < 1.0.4
UiPath Test Manager for Jira All versions
URL Restrictions for Jira Versions < 1.0.7
User Anonymizer for Jira (GDPR) Versions < 2.0.5
User Availability Tracker for Jira All versions The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
User Management by Project Administrator Versions < 82000.1.14
User Mention Groups for the Richtext Editor All versions
User Picker Avatar for Jira Versions < 3.5.0
User Profiles for Jira Versions < 2.4.5
User Switcher for Jira Versions < 3.1.1
VCAP – Video Capture for Jira Service Management All versions
Version & Component Sync for Jira All versions
VIP.LEAN TOOLS – Advanced Links Versions < 1.1.4
Watch It for Jira Versions < 3.1.2
WBS Gantt-Chart for Jira All versions
Whiteboards for Jira: team collaboration Versions < 1.51.2
Who deleted my issues All versions
Workflow Magic Box All versions
Worklog History PRO All versions
Worklog express All versions
Worklogs – Time Tracking and Reports Versions < 1.4.3
xCharts – Custom Charts & Reports for Jira All versions
xPort – Custom Worklog Export for Jira All versions
Xporter – Export issues from Jira All versions
vLinks – Easy Issue Linking All versions

What are the workarounds?

Installing a fixed version of Jira or Jira Service Management is the surest way to remediate CVE-2022-0540. Once a fixed version has been installed, all apps in your instance are protected against CVE-2022-0540 and no further action is required.

If you’re unable to install a fixed version of Jira or Jira Service Management and you’re using any affected apps, refer to the table in the Determining which apps are affected section above to determine if non-affected versions of those apps are available. If so, update any affected apps to a non-affected version.

As a last resort, if you’re using any apps listed in the Determining which apps are affected section and all versions of the app are affected, you can mitigate the security risk by disabling the app until you’re able to install a fixed version of Jira or Jira Service Management.

DO NOT disable Insight – Asset Management on the following versions of Jira Service Management

  • 4.19.x
  • 4.20.x < 4.20.3

In these versions of Jira Service Management, disabling Insight – Asset Management causes all of Jira Service Management to be disabled.

For more information on how to disable the Insight – Asset Management app, refer to this Jira KB article.

Need Help With This?

Give us a call, or submit a help request here. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.