Page tree

You are on the Xporter Server documentation. If you are looking for Xporter Cloud documentation, you can find it in this page.

Skip to end of metadata
Go to start of metadata

Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is at the core of Jira, it affects first and third-party apps like Xporter.

We recommend the upgrade of Jira as mentioned on the Atlassian Security Advisory so all apps in your instance are protected against CVE-2022-0540. As an alternative, Xporter released the 6.9.9 to the Atlassian Marketplace which fixes the vulnerability.

Xporter for Jira Server and Data Center - Authentication Bypass in Jira Seraph - CVE-2022-0540

Summary

Authentication Bypass in Jira Seraph - CVE-2022-0540

Advisory Release Date

 10:00 AM CET 

Product

Xporter for Jira Server & Data Center

Affected on Xporter for Jira Server & Jira Data Center Versions

6.9.8 and earlier

Fixed on Xporter Jira Server & Jira Data Center Versions

6.9.9 and later

Summary of Vulnerability

This advisory discloses a security vulnerability classified as critical that was present in Xporter for Jira Server & Data Center. Versions of Xporter for Jira Server & Data Center affected by this vulnerability:

  • 6.9.8 and earlier (fixed in 6.9.9 and later).

Customers who have upgraded Jira to a fixed version mentioned on the Atlassian Security Advisory or upgraded Xporter for Jira Server & Data Center to version 6.9.9 or higher are not affected.

Customers who are on any of the affected versions, upgrade your Jira or Xporter for Jira Server & Data Center installations immediately to fix this vulnerability.

Severity

The vulnerability is rated as critical, according to the CVSS Version 3.


Description

Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

The issue can be tracked here: 

XPORTER-3975 - Getting issue details... STATUS


Fix

We recommend the upgrade of Jira as mentioned on the Atlassian Security Advisory so all apps in your instance are protected against CVE-2022-0540. As an alternative, Xporter released the 6.9.9 to the Atlassian Marketplace which fixes the vulnerability. You can upgrade to the latest version of Xporter for Jira Server & Data Center using the Universal Plugin Manager as explained in Updating apps

Support

If you have questions or concerns regarding this advisory, please raise a support request here.

  • No labels