Note |
---|
Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. Although the vulnerability is at the core of Jira, it affects first and third-party apps like Xporter. We recommend the update of Xporter for Jira Server & Data Center toupgrade of Jira as mentioned on the Atlassian Security Advisory. As an alternative, Xporter released the 6.9.9 - latest versionto the Atlassian Marketplace which fixes the vulnerability. |
Xporter for Jira Server and Data Center - Authentication Bypass in Jira Seraph - CVE-2022-0540
...
The vulnerability is rated as critical, according to the CVSS Version 3.
Description
"Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.
Although the vulnerability is in the core of Jira, it affects first and third-party apps that specify roles-required
at the webwork1
action namespace level and do not specify it at an action
level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.
A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.", Atlassian
The issue can be tracked here:
Jira | ||||||
---|---|---|---|---|---|---|
|
Fix
We
...
recommend the upgrade of Jira as mentioned on the Atlassian Security Advisory. As an alternative, Xporter released the 6.9.9
...
to the Atlassian
...
Marketplace which fixes the vulnerability.
What You Need to Do
Upgrade
...