There is a critical authentication bypass vulnerability in six versions of Atlassian’s Jira Service Management products than can allow an attacker to impersonate a user and gain access to sign up tokens in some specific circumstances.
The flaw (CVE-2023-22501) affects versions 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0 of Jira Service Management Server and Data Center, but does not affect cloud-based versions. Atlassian has released updated versions that address the vulnerability. The bug was introduced in version 5.3.0 and is fixed in versions 5.3.3, 5.4.2, 5.5.1, and 5.6.0 and later.
“An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into,” the Atlassian advisory says.
In order to exploit the vulnerability and gain access to those tokens, an attacker would need to be included on Jira issues or requests with the target users, or have access to emails with a “View Request” link for the users.
“Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account,” the advisory says.
Atlassian is urging users to upgrade their installations as soon as possible, but there is a mitigation available if that’s not practical immediately.
“If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-pluginJAR file as a temporary workaround,” the advisory says.