Atlassian Patches Critical Authentication Flaw in Jira Software


Atlassian has released multiple patches to fix a critical security vulnerability in Jira Service Management Server and Data Center.

The flaw (tracked CVE-2023-22501) has a CVSS score of 9.4 and can reportedly be exploited by attackers to impersonate other users and obtain unauthorized access to affected instances.

“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into,” reads a description of the flaw on the Jira website.

According to Atlassian, access to these tokens can be obtained either via an attacker being included on Jira issues or requests with these users or if the attacker is forwarded (or otherwise gains access to) emails containing a ‘View Request’ link.

“Bot accounts are particularly susceptible to this scenario,” the company explained. “On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”

The Jira versions affected by the vulnerability are 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1 and 5.5.0. Atlassian has confirmed patches were released for versions 5.3.3, 5.4.2, 5.5.1 and 5.6.0. The company has urged customers to update to the latest patched version to protect their Jira instances from threat actors.

In a related report, Atlassian also set up an FAQ page for the flaw, where it clarified that Atlassian Cloud instances (Jira sites hosted on the cloud via an domain) had not been vulnerable to it.

The patches come a few months after multiple US security agencies included another Atlassian vulnerability (CVE-2022-26134) in a list of the 20 common flaws exploited by Chinese state-sponsored actors since 2020.

Products You May Like

Articles You May Like

Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts
Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data
Highlights from TikTok CEO’s Congress grilling – Week in security with Tony Anscombe
WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems

Leave a Reply

Your email address will not be published. Required fields are marked *