Atlassian has released a security advisory to address a critical broken authentication vulnerability in Jira Service Management Server and Data Center (CVE-2023-22501). Under certain conditions, an attacker might use this vulnerability to impersonate another user to access a Jira Service Management instance.
Jira Service Management is designed to unlock high-velocity teams by allowing each team to give excellent service quickly, increasing work visibility, and accelerating the pace at which work is transferred between the development, IT, and business teams.
Jira Service Management Data Center is an enterprise IT Service Management Solution that allows teams to work together to meet security and compliance requirements while providing excellent customer service.
Description
The broken authentication vulnerability in Jira Service Management Server and Data Center can be exploited under certain circumstances. The vulnerability can allow an attacker to impersonate another user and gain access to a Jira Service Management instance.
An attacker can exploit this vulnerability on a Jira Service Management instance with write access to a User Directory and outgoing email enabled. An attacker could intercept signup tokens issued to users with accounts that have never been signed into. An attacker can get access to these tokens in the two cases mentioned below:
- If the attacker has access to these users’ Jira issues or requests, or
- If emails from these users with “View Request” links are forwarded to the attacker or if the attacker somehow gets access to the emails.
Bot accounts are mainly vulnerable to this scenario. In projects where anyone can create an account, single sign-on situations may have an impact on external customer accounts.
Affected versions
The vulnerability affects the following versions of the Jira Service Management Server and Data Center:
- 5.3.0
- 5.3.1
- 5.3.2
- 5.4.0
- 5.4.1
- 5.5.0
Mitigation
Atlassian recommends its users upgrade to one of the listed fixed versions (or any later version):
- 5.3.3
- 5.4.2
- 5.5.1
- 5.6.0 or later
Please refer to the Jira Service Management Server and Data Center Advisory for more information.
Workaround
Atlassian recommends a temporary workaround for the mitigation of vulnerability. Users can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file. The jar files associated with the Jira Service Management Versions are mentioned below:
| Jira Service Management Versions | Jar files |
| 5.5.0 | servicedesk-variable-substitution-plugin-5.5.1-REL-0005.jar |
| 5.4.0, 5.4.1 | servicedesk-variable-substitution-plugin-5.4.2-REL-0005.jar |
| 5.3.0, 5.3.1, 5.3.2 | servicedesk-variable-substitution-plugin-5.3.3-REL-0001.jar |
-
- Download the version-specific JAR file from the table above.
- Stop Jira.
- Copy the JAR file into your Jira home directory.
- For Server: <Jira_Home>/plugins/installed-plugins
- For Data Center: <Jira_Shared>/plugins/installed-plugins
- Start Jira.
Qualys Detection
Qualys customers can scan their devices with QID 730718 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://jira.atlassian.com/browse/JSDSERVER-12312
https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html