Headline
CVE-2022-0540: Jira Security Advisory 2022-04-20 | Atlassian Support
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
App Name
Affected Versions
Notes
Activity for Jira
Versions < 2.3.0
Activity Timeline: Resource Planning & Time Tracking
Versions < 9.1.4
Alfresco connector for Jira
Versions < 1.15.3-8
Agile Tools & Filters for Jira Software
Versions < 4.0.12
Agile User Story Map & Product Roadmap for Jira
Versions < 6.4.1
🇺🇦 Alert Catcher - Jira integration with Zabbix SIEM
Versions < 2.0.10
aqua - Test Management & Automation
All versions
ARCAD For Jira
All versions
Atlas CRM - Customers and Sales in Jira
Versions < 1.9.10
Automated Log Work for Jira
Versions < 6.9.5
AutoPage - Automated Page Creation
Versions < 2.15.0
BDQ Migration Analyst for Jira Cloud
Versions < 1.0.2
Calculated and other custom fields(JBCF) for Jira DC/Cloud
Versions < 3.1.3
Calendar for Jira
Versions < 3.6.2
The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
🇺🇦 Cisco Finesse integration for Jira
Versions < 1.0.7
CodeRunner PRO
All versions
Comala Agile Ranking
Versions < 1.6.0
Comala Canvas for Jira
Versions < 3.0.5
Comment History for Jira
Versions < 2.2.1
Comment Security Default
Versions < 4.0.1
Connector for Salesforce and Jira Server
Versions < 1.14.1-8
Control Freak
Versions < 1.0.7
Cross filters matrix
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Custom Select List
All versions
Customfield Editor for Jira
Versions < 2.13.1
Customizable Announcements for Jira
Versions < 2.2.0
Decision Tables for Jira
Versions < 1.2.10
Default Values for ‘Create Issue’ screen
Versions < 4.2.8
Delegating group management
Versions < 3.0.6
Denkplan Portfolio Map for Jira
Versions < 2.2.0
Dependent Select List
Versions < 2.4
Display linked issues
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Document Vault for Jira
Versions < 5.2.1
e Matrix
Versions < 3.1.2
Easy Field Template
All versions
Eclipse BIRT for SQL+JQL
Versions < 3.6.6
EduBrite LMS for Jira Service Management
Versions < 3.41.12
Elevator - Smart Issue Assignment
Versions < 3.10.2
Encryption for Jira
Versions < 1.7.21
Enterprise Mail Handler for Jira (JEMH)
Server versions < 3.3.86-server
Data Center versions < 3.3.85-dc
Epic watcher
Versions < 1.0.2
Excel-like Issue Editor for Jira - Embed Spreadsheet & Table
Versions < 1.17.1.1
excentia Admin Tools for Jira
Versions < 2.13.2
Extender for Jira
Versions < 2.16.0
Feedback for Jira - Forms for website
All versions
This app is no longer supported and has been archived.
Field Hide for Jira
All versions
Field Hide for Jira - Lite
All versions
Figma for Jira
Versions < 2.2.2
Flexible Calendar for Jira
Versions < 2.9.2
Frontu Field Service Management Add-on
All versions
Gamification for Jira
All versions
GDPR (DSGVO) and Security for Jira
Versions < 1.18.1
Gears desk for Jira
Versions < 2.4.3
Gears issue export permission
Versions < 2.4.1
Gears Lock manager for jira
Versions < 1.3.1
Gears Properties Manager
Versions < 1.5.1
Gears Usage Statistics for jira
Versions < 1.4.2
Gears worklog-restricted for Jira
All versions
Git Integration for Jira
Versions < 4.2.1
Google Analytics for Jira
All versions
Group Ambassadors
Versions < 2.4.1
Groups Plus - Attributes and delegated management
Versions < 1.0.3.15
Home Directory, Database & Log Browser for Jira
Versions < 1.34.1
ID Generator for Jira
All versions
Import Export for Jira + Structure - Microsoft Project
Versions < 1.4.6
Insight - Asset Management
Versions < 8.10.0
All 9.x versions
Bundled with Jira Service Management 4.15 and later.
Customers using Jira Service Management 4.15.0 or later cannot install Insight 8.10.0 via UPM, and should install one of the updated versions of Jira Service Management noted in this advisory or see the Workarounds section below.
An authenticated attacker with object schema manager permissions could exploit this vulnerability to execute arbitrary code.
InstaPrinta - Print Jira Issues directly
Versions < 2.9.0
iridion for JIRA
All versions
Issue Actions Todo
Versions < 3.1.1
Issue Linked Event for Jira
Versions < 1.12.0
Issue Search Customiser for Jira
Versions < 1.3.4
Issues Toolbox for Jira
Versions < 2.1.2
It’s a Feature, Not a Bug
All versions
J2J Issue Sync
All versions
Jenkins Integration for Jira
Versions < 5.8.0
Jenkins Integration for Jira - Lite
Versions < 5.8.0
Jira Misc Custom Fields (JMCF)
Versions < 2.4.6
Jira Misc Workflow Extensions (JMWE)
Versions < 7.1.4
Jira Workflow Toolbox
Versions < 3.1.5
JsIncluder
All versions
Label Manager for Jira
Versions < 4.7.8
Legal for Jira
All versions
This app is no longer supported and has been archived.
Log Tailer for Jira
Versions < 1.2.3
Lync and Skype Connector for Jira
All versions
Message field
Versions < 4.6.6
Metadata for Jira
Versions < 4.8.6
The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Microfocus Dimensions CM Integration
All versions
ML1
All versions
Mobile Plugin for Jira Data Center and Server
Versions < 3.2.14
Bundled with Jira and JSM
Atlassian has determined the security risk is negligible since all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
MOCO Time Tracking for Jira
Versions < 1.3.5
Multiple Checklists for Jira
Versions < 1.17.2
My Secret Santa for Jira
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
My Service Portal
Versions < 2.1.14.20220412102158
My.com Calendar
Versions < 4.2.1
Namo Crosseditor For Jira
Versions < 1.0.13
Notify Watcher
Versions < 1.7.2
NotifyMe! - Send emails from Jira issues
Versions < 2.0.12
One-time Link
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Organizations Automation
Versions < 2.10.2
PageMe! - Create Pages from Jira Issues
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Performance Objectives: Charts for Jira
Versions < 22.4.4
PractiTest Test Management for Jira
All versions
Prevent Anonymous Access
Versions < 3.1.0
ProScheduler: Resource Planning & Gantt - Project Management
Versions < 4.1.0
Project Archiver for Jira
Versions < 1.4.0
Project Budget for Jira
Versions < 1.2.0
Project Creator
All versions
Project Documents for Jira
Versions < 3.9.1
Project Specific Select Field
Versions < 3.0.2
Project User Manager (PUM)
Versions < 1.2.5
Projectrak - Project Tracking for Jira
Versions < 8.8.2
Projektron BCS Connector for Jira
All versions
QA Craft Test Management for Jira
Server versions < 4.1.20
Data Center versions < 4.1.21
QAlity - Test Management for Jira
All versions
QAlity Plus - Test Management for Jira
All versions
Quality Tiger - Test Management for Jira
All versions
Quick Subtasks for Jira
All versions
Raley Favourites for Jira
Versions < 1.1.1
ReceiveMe! - Email handler for Jira
Versions < 2.0.17
Refined for Jira | Sites & Themes
Versions 3.3.x < 3.3.4
Versions < 3.2.21
RemindMe for Jira
Versions < 1.3.5
Report Builder
Versions < 3.9.1
Run CLI Actions in Jira
Versions < 10.2.1
SCIM User Provisioning for Jira
Versions < 2.7.1
Search by workflows
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Secure Admin for Jira
Versions < 3.4.2
Secure Code Warrior® for Jira
Versions < 1.0.45
Security Attachment Manager for Jira
Versions < 1.0.8
Security Fields and Attachments
All versions
Service Desk Menu for Jira
Versions < 1.4.0
SharedManager
All versions
Sign Off Plugin for Jira
Versions < 1.2.0
SIL Groovy Connector
Versions < 1.1.8
Simple Tasklists
Versions < 2.2.1
Simple Team Pages for Jira
Versions < 2.1.5
Simple notifications for Jira
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
SLA
All versions
Smart Checklist for Jira. Pro
Versions < 5.6.1
Smart Issue Analyzer for Jira
All versions
Smart Issue Analyzer for Jira Align
All versions
Smart Issue Templates for Jira
Versions < 1.11.13
Sprint Capacity Planning & Tracking
All versions
SQL+JQL Driver: Transform JQL into SQL
Versions < 9.11.3
Status History
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Status History PRO
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Status update reminder for Jira
Versions < 1.0.4
STM for Jira
Versions < 4.4.5
Story Mapping for Jira - Pro
Versions < 3.1.0
SU for Jira
Versions < 1.14.0
Subversion ALM
Versions < 9.3.4
sumUp for Jira
Versions < 3.6.6
swarmOS Analyzer
All versions
Switch to User + Delegating SU (Jira)
Versions < 1.5.2
Sync Sub-Tasks to Parent
All versions
Team Trax: Vacation, holidays, sick leaves tracker for Jira
All versions
The app vendor notes that all affected actions enforce additional permission checks that are not vulnerable to CVE-2022-0540
Teamworkx Issue Picker for Jira
Versions < 8.7.8
Teamworkx Issue Publisher for Jira
Versions < 12.5.1
Teamworkx OTRS Integration for Jira
Versions < 70.40.10.0
Teamworkx Push and Pull Favorites
Versions < 7.0.11.9
Telegram Bot
All versions
Template Manager
Versions < 1.4
TemplateMe! - Customized notifications
Versions < 2.8
Terms and Conditions for Jira
Versions < 2.1.0-5
Testlab for Jira
All versions
Time in status | SLA | Timer | Stopwatch for Jira DC/Cloud
Versions < 5.4.2
Timeline
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Timeline for Jira
Versions < 2.0.4
The app vendor notes that all affected actions for versions < 2.0.4 enforce additional permission checks that are not vulnerable to CVE-2022-0540
Timetracker - Time Tracking & Reporting
Versions < 4.9.8
TodoMe Connector (Jira)
All versions
TodoMe for Jira
All versions
ToDos for Jira Issues
All versions
Translate Field Options for Jira
Versions < 1.3.6
Translator for Jira
All versions
Trophy - gamification for Jira
Versions < 1.0.4
UiPath Test Manager for Jira
Versions < 2.0.4
URL Restrictions for Jira
Versions < 1.0.7
User Anonymizer for Jira (GDPR)
Versions < 2.0.5
User Availability Tracker for Jira
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
User Management by Project Administrator
Versions < 82000.1.14
User Mention Groups for the Richtext Editor
All versions
User Picker Avatar for Jira
Versions < 3.5.0
User Profiles for Jira
Versions < 2.4.5
User Switcher for Jira
Versions < 3.1.1
VCAP - Video Capture for Jira Service Management
Versions < 1.0.2
Version & Component Sync for Jira
Versions < 2.9.7
VIP.LEAN TOOLS - Advanced Links
Versions < 1.1.4
vLinks - Easy Issue Linking
Versions < 2.3.2-25ca8af
Watch It for Jira
Versions < 3.1.2
WBS Gantt-Chart for Jira
Versions < 9.14.4.1
Whiteboards for Jira: team collaboration
Versions < 1.51.2
Who deleted my issues
Versions < 3.0.0
Workflow Magic Box
Versions < 1.12-RELEASE
Worklog History PRO
All versions
The app vendor advises customers to remediate this vulnerability by installing a fixed version of Jira.
Worklog express
Versions < 8.5.5-SNAPSHOT
Worklogs - Time Tracking and Reports
Versions < 1.4.3
xCharts - Custom Charts & Reports for Jira
Versions < 1.7.8
xPort - Custom Worklog Export for Jira
Versions < 1.2.1
Xporter - Export issues from Jira
Versions < 6.9.9