Atlassian Releases Patches for Critical Authentication Vulnerability in Jira Software


Atlassian has released fixes to patch a new critical vulnerability in Jira Service Management Server and Data Center. The security flaw could enable threat actors to impersonate Jira users and gain unauthorized access to affected instances.

The security vulnerability is tracked as CVE-2023-22501, and it has a critical severity score
(CVSS score) of 9.4. The company has acknowledged that the flaw impacts Jira versions 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0.

“This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center,” Atlassian explained. “With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into.”

According to Atlassian, the attackers could get access to tokens if they’re included in Jira issues or requests. It’s also possible that the hacker gains unauthorized access to sensitive emails with “View Request” links.

Atlassian emphasized that these attacks particularly target bot accounts created to work with Jira Service Management. The vulnerability might also affect external customer accounts in instances with single sign-on. However, it doesn’t impact Jira sites accessed via an domain (Atlassian Cloud instances).

Atlassian urges customers to update their Jira installations

Atlassian has released security updates to address the authentication vulnerability in versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0 of Jira Service Management Server and Data Center. The company has recommended customers to install the latest update as soon as possible to protect their Jira instances from cyber attacks.

Meanwhile, Atlassian has also provided a workaround solution for organizations that are unable to immediately deploy the update in their environments. These customers can use a JAR file to manually upgrade the “servicedesk-variable-substitution-plugin,” and you can find more details in the security advisory.