Attacker Value

Very Low

(1 user assessed)

Exploitability

Low

(1 user assessed)

User Interaction

CVE-2022-0540

Disclosure Date: April 20, 2022 •

CVE-2022-0540 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Initial Access

Techniques

Validation

Exploit Public-Facing Application

Validated

Description

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

Add Assessment

jbaines-r7 (77)

April 22, 2022 2:52pm UTC (2 years ago)

Ratings

Attacker Value

Very Low

Exploitability

Low

Vulnerable in default configuration Difficult to weaponize

Technical Analysis

On February 15, 2022, Atlassian released Jira Software updates to address CVE-2022-0540. On April 20, Atlassian finally published the CVE and released a security advisory detailing the issue. CVE-2022-0540 is an authentication bypass issue that appears to be improper access control on some endpoints. The vulnerable code exists in Jira core, but only affects downstream “apps” that integrate with Jira. Additionally, an app is only vulnerable if it does not take steps to independently “enforce additional security checks.” Jira cloud services are not affected.

Jira lists two of its own “bundled” apps as affected: Mobile Plugin for Jira and Insight – Asset Management. However, their FAQ also states that Mobile Plugin for Jira is not exploitable due to the aforementioned additional security checks and Insight – Asset Management requires both authentication and special permissions to exploit it. It appears that Atlassian based their CVSS3 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) on the Insight – Asset Management attack case. Although, the score seems artificially inflated by use of S:C.

While Jira lists approximately 200 affected apps in their disclosure, we do not expect this issue to see widespread exploitation. The actual impact of the bypass is dependent on the functionality exposed by the app’s vulnerable endpoint. There may be a high impact vulnerable app, but the install base of specific apps is going to be significantly smaller than the Jira install base. Coupled with the fact that this issue has been fixed for more than 2 months, and cloud services are not affected, exploitation will be spotty at best (if at all).

Helpful Links

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Jira Core Server 8.13.18

Jira Core Server 8.14.0

Jira Core Server 8.20.6

Jira Core Server 8.21.0

Jira Core Server 8.22.0

Jira Software Server 8.13.18

Jira Software Server 8.14.0

Jira Software Server 8.20.6

Jira Software Server 8.21.0

Jira Software Server 8.22.0

Jira Software Data Center 8.13.18

Jira Software Data Center 8.14.0

Jira Software Data Center 8.20.6

Jira Software Data Center 8.21.0

Jira Software Data Center 8.22.0

Jira Service Management Server 4.13.18

Jira Service Management Server 4.14.0

Jira Service Management Server 4.20.6

Jira Service Management Server 4.21.0

Jira Service Management Server 4.22.0

Jira Service Management Data Center 4.13.18

Jira Service Management Data Center 4.14.0

Jira Service Management Data Center 4.20.6

Jira Service Management Data Center 4.21.0

Jira Service Management Data Center 4.22.0

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

atlassian

Products

jira data center,
jira server,
jira service management

References

Canonical

CVE-2022-0540 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0540)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-0540-Preauth-RCE (https://github.com/Pear1y/CVE-2022-0540-Preauth-RCE) (Added by AKB Worker)

Miscellaneous

https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20

https://jira.atlassian.com/browse/JRASERVER-73650

https://jira.atlassian.com/browse/JSDSERVER-11224

Rapid7

Very Low

CVE-2022-0540

Very Low

Low

None

None

Network

CVE-2022-0540

Description

Add Assessment

Ratings

Technical Analysis

Helpful Links

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification