Atlassian resolves critical security vulnerability
Atlassian has addressed a serious security vulnerability in its Jira Service Management Server and Data Center that could have allowed an attacker to impersonate another user and gain unauthorized access.
The vulnerability, dubbed as CVE-2023-22501, has been categorized as a broken authentication issue with low attack complexity. According to the company, the flaw would allow the attacker to access a Jira Service Management instance if they have write access to a User Directory and outgoing email enabled.
The attacker can obtain the signup tokens by being included in Jira issues or requests with the users, or by gaining access to emails containing a “View Request” link from these users. The vulnerability affects external customers who interact with the instance via email, even when single sign-on (SSO) is configured.
The tokens that the attacker can use to gain unauthorized access to Jira Service Management Server and Data Center can be obtained in two scenarios. Firstly, if the attacker is included on Jira issues or requests with these users. Secondly, if the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.
These tokens are sent to users with accounts that have never been logged into, and with write access to a User Directory and outgoing email enabled on the Jira Service Management instance. It is important to note that the vulnerability was introduced in version 5.3.0 and affects all subsequent versions up until 5.5.0.
Atlassian stated that the vulnerability was introduced in version 5.3.0 and impacts all subsequent versions. The company has made fixes available in versions 5.3.3, 5.3.3, 5.5.1, and 5.6.0 or later. Jira sites hosted on the cloud via an atlassian[.]net domain are not affected by the flaw and no action is required in this case.
However, users who are synced to the Jira service via read-only User Directories or single sign-on (SSO) are not affected. External customers who interact with the instance via email are still vulnerable even when SSO is configured.
It is important for users to upgrade their installations to the latest version to avoid potential threats, as flaws in Atlassian products have become an attractive attack vector in recent months. Two months ago, the company fixed two critical security holes in its Bitbucket Server, Data Center, and Crowd products that could have been exploited to gain code execution and invoke privileged API endpoints.
The sources for this piece include an article in TheHackerNews.