In April 2022 a new critical Jira vulnerability was discovered. The vulnerability is listed as CVE-2022-0540 and categorized as Critical with a CVSS score of 10.
Jira and Jira Service Management Server and Data Center are vulnerable to an authentication bypass (CVE-2022-0540). Although the vulnerability is in Jira, it affects first and third party apps that use so called WebWork-Action (e.g. "Jira Pages") in a certain way.
Atlassian has published a FAQ page which tells you how to secure your Atlassian Jira Server or Data Center installation. codeclou Apps for Atlassian Jira are automatically secured once you update Jira.
Here is the full list of codeclou apps:
| Customfield Editor for Jira | affected |
| Advanced Codeblocks for Confluence | not affected |
| Release Info for Confluence | not affected |
codeclou has published a bugfix with app version 2.13.1 for the Data Center and Server version of Customfield Editor for Jira.
Please make sure you secure your root Jira installations by following the steps described in the Atlassian FAQ for CVE-2022-0540.
In short - Update Jira and codeclou Apps to the following versions to be protected from CVE-2022-0540:
The threat for the Customfield Editor for Jira is very limited. Since we have additional authentication checks in place in our REST API which is not affected by the bug. In the Customfield Editor for Jira app the WebWork-pages are not accepting user input or providing any data server-side. They simply provide "blank" pages for the frontend (React) to hook in and call the REST API. So even if someone would be able to view an WebWork-admin-page they would simply see a blank page since the REST API is secure.
The threat on Jira itself might be a lot higher, please ask the Atlassian Support on that regard.
We have analyzed all our apps for potential threats regarding CVE-2022-0540. codeclou provides an app update for affected apps. Please update Jira and all your apps to be protected from CVE-2022-0540.