CVE‑2022‑0540 - Jira Seraph Vulnerability
Incident Report for TechTime Initiative Group
This incident has been resolved.
Posted May 06, 2022 - 09:13 NZST
A new version for Jira Easy SSO has been released to allow for users to update to Jira v8.22.2 and can be downloaded from
Posted Apr 22, 2022 - 16:57 NZST
We are continuing to monitor for any further issues.
Posted Apr 22, 2022 - 10:01 NZST
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

1) Our EasySSO is not affected – we do not use the particular Seraph checks anywhere.
2) However, other apps say use these as the only protection for their UI components/screens. It's the implementation of these checks that is broken in Seraph.
3) We recommend upgrading to Jira 8.20.6 if possible to avoid related issues.
4) Do not upgrade to Jira v8.22.2 as Easy SSO Jira is disabled on this version at the moment - current status of this issue can be found here:
Posted Apr 22, 2022 - 10:00 NZST
This incident affected: TechTime Server Apps (EasySSO for Jira Server) and TechTime Data Center Apps (EasySSO for Jira Data Center).