CVE-2022-0540

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20	Issue Tracking Patch Vendor Advisory
https://jira.atlassian.com/browse/JSDSERVER-11224	Issue Tracking Patch Vendor Advisory
https://jira.atlassian.com/browse/JRASERVER-73650	Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:jira_service_management:::::server:::*
	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*
	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*
	cpe:2.3:a:atlassian:jira_service_management:::::server:::*
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_service_management:::::server:::*
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*

History

10 Jun 2022, 14:49

Type	Values Removed	Values Added
CPE	cpe:2.3:a:atlassian:jira_core::::::::

28 Apr 2022, 16:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.8 v3 : 9.8
CWE		CWE-287
References	~~(MISC) https://jira.atlassian.com/browse/JRASERVER-73650 -~~	(MISC) https://jira.atlassian.com/browse/JRASERVER-73650 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://jira.atlassian.com/browse/JSDSERVER-11224 -~~	(MISC) https://jira.atlassian.com/browse/JSDSERVER-11224 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20 -~~	(MISC) https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20 - Issue Tracking, Patch, Vendor Advisory
First Time		Atlassian jira Server Atlassian jira Core Atlassian Atlassian jira Service Management Atlassian jira Data Center
CPE		cpe:2.3:a:atlassian:jira_service_management:::::data_center:::* cpe:2.3:a:atlassian:jira_service_management:::::server:::* cpe:2.3:a:atlassian:jira_core:::::::: cpe:2.3:a:atlassian:jira_data_center:::::::: cpe:2.3:a:atlassian:jira_server::::::::

20 Apr 2022, 19:20

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-20 19:15

Updated : 2022-06-10 14:49

NVD link : CVE-2022-0540

Mitre link : CVE-2022-0540

JSON object : View

Products Affected

atlassian

jira_server
jira_data_center
jira_service_management

CWE

CWE-287

Improper Authentication

9.8 /10