Atlassian warns Jira users of a serious vulnerability that could allow attackers to gain write access to Service Management. This requires attackers to receive a specific Jira user link. A patch for the bug is available.
Atlassian warns on a separate page about the vulnerability, which tracking number CVE-2023-22501. The bug is assigned a Critical rating of 9.4. Atlassian also posted a faq online with details about the vulnerability.
The vulnerability resides in Jira Service Management and Data Center, the central platform for Jira administrators. The vulnerability makes it possible for an attacker to gain access to Jira Service Management ‘under certain conditions’. An attacker could then intercept tokens sent to existing users, as well as users who have not previously logged in. This allows them to create new user accounts.
This only applies to self-hosted systems and not to Atlassian Cloud users, who are now protected against the bug. Atlassian says that installations that cannot be accessed via the internet must also perform the upgrade, although the company says that the attack surface is significantly smaller for those installations.
According to Atlassian, attackers can exploit the bug if they already have a user account involved in a Jira issue, or if an attacker has access to an email containing a View Request from such a user. Atlassian says that bot accounts in particular will often fall under those conditions.
The vulnerability is in versions 5.3.0, 5.3.1, 5.3.2 and in 5.4.0, 5.4.1 and 5.5. 0. It has since been resolved there, but administrators still need to install a patch. Atlassian has released three patches that fix the bug: 5.3.3, 5.4.2, 5.5.1 and 5.6.0.
