Atlassian has revealed it has fixed a major flaw in their Service Management Server and Data Center products.
The vulnerability, tracked as CVE-2023-22501, allows threat actors to impersonate (opens in new tab) people and gain access to a Jira Service Management instance under certain circumstances. It has been given a severity score of 9.4, making it a critical flaw.
“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into,” Atlassian noted in its description of the vulnerability.
Vulnerable versions
The company explained that a threat actor might be able to get the tokens by being included on Jira issues or requests with the users, or if they somehow obtain an email with the “View Request” link.
“Bot accounts are particularly susceptible to this scenario,” Atlassian further explained. “On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”
These are the Jira versions vulnerable to the flaw: 5.3.0; 5.3.1; 5.3.2; 5.4.0; 5.4.1, and 5.5.0. To be on the safe side, make sure to bring your Jira up to versions 5.3.3; 5.4.2; 5.5.1, or 5.6.0.
Atlassian products seem to be a popular target among cybercriminals. In October last year, the US Cybersecurity and Infrastructure Agency (CISA) noted that a high-severity flaw found in two widely-used Atlassian Bitbucket tools – Server and Data Center, was being actively exploited in the wild.
Before that, in July, it was reported that Jira, Confluence, and Bamboo, were vulnerable to CVE-2022-26136, an arbitrary Servlet Filter bypass that allowed threat actors to bypass custom Servlet FIlters that third-party apps use for authentication. The flaw was deemed high-severity.
Via: Infosecurity Magazine (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba