Security Advisory for Atlassian's Authentication bypass in Seraph - CVE-2022-0540

April 20, 2022

For Jira Server and Jira Data Center customers only

Summary of Vulnerability

The following note has been provided by Atlassian - For details, please refer to Jira Security Advisory 2022-04-20 to determine if you are affected, and how to protect affected installations.

Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph.

Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks.

A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.

zAgileConnect add-ons for Jira Server and Data Center are affected by CVE-2022-0540. Note that zAgileConnect add-ons are not the cause for the vulnerability but are impacted by this Jira vulnerability.

Recommended Actions

You have two options:

1. Upgrade your Jira (Recommended)

Upgrade your Jira to a fixed version as described here -- Jira Security Advisory 2022-04-20

2. Or, Upgrade zAgileConnect Add-on in Jira

Upgrade the zAgileConnect Add-on in Jira to a version compatible with your package in Salesforce. Refer to the compatibility matrix here Installing Jira Add-on

For Jira Datacenter please contact zAgile Support for the download link.

Please note that you cannot upgrade to the latest Jira Add-on if it is not compatible with the zAgileConnect package installed in your Salesforce instance.

To check the version of the zAgileConnect Jira Add-on that is compatible with your Salesforce package, please refer to the compatiblity matrix Installing Jira Add-on