in ,

CVE-2022-0540 – Authentication bypass in Jira Seraph

Jira implemented seraph as a filter The doFilter() method call parent method.

The Seraph filter will use the security config services to get the roles required base on the request.

There are 3 services were implemented in Jira:

  1. JiraPathService: If the requested servlet path start with /secure/admin/, it will require the admin role.
  2. WebworkService: Get roles-required config of webwork in the actions.xml file
  3. JiraSeraphSecurityService: Get roles-required config of webwork action in all plugin’s atlassian-plugin.xml file

The JiraPathService is easy to understand, our concern now is WebworkService and JiraSeraphSecurityService.

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Understanding Microsoft Windows Security Updates

Advanced sqlmap Case Study