Atlassian has released multiple patches to fix a critical security vulnerability in Jira Service Management Server and Data Center.
The flaw (tracked CVE-2023-22501) has a CVSS score of 9.4 and can reportedly be exploited by attackers to impersonate other users and obtain unauthorized access to affected instances.
“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into,” reads a description of the flaw on the Jira website.
According to Atlassian, access to these tokens can be obtained either via an attacker being included on Jira issues or requests with these users or if the attacker is forwarded (or otherwise gains access to) emails containing a ‘View Request’ link.
“Bot accounts are particularly susceptible to this scenario,” the company explained. “On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”
The Jira versions affected by the vulnerability are 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1 and 5.5.0. Atlassian has confirmed patches were released for versions 5.3.3, 5.4.2, 5.5.1 and 5.6.0. The company has urged customers to update to the latest patched version to protect their Jira instances from threat actors.
In a related report, Atlassian also set up an FAQ page for the flaw, where it clarified that Atlassian Cloud instances (Jira sites hosted on the cloud via an atlassian.net domain) had not been vulnerable to it.
The patches come a few months after multiple US security agencies included another Atlassian vulnerability (CVE-2022-26134) in a list of the 20 common flaws exploited by Chinese state-sponsored actors since 2020.