Get in Touch
Critical broken authentication vulnerability in Jira management products
Indiscriminate, opportunistic targeting.
Severity Level – Critical (CVSS score 9.4): Compromise may result in the loss of confidentiality and integrity of data.
On 1st February 2023, Atlassian published an advisory for a security vulnerability, currently tracked as CVE-2023-22501, relating to a critical broken authentication flaw affecting its Jira Service Management Server and Data Centre products. The vulnerability was not detected to have been exploited in the wild as of 6th February 2023.
Successful exploitation of this vulnerability will allow a threat actor to impersonate another user and therefore gain access to a Jira Service Management instance, when certain conditions are met. When write access to a user directory and outgoing email rules are enabled on a Jira Service Management instance, a threat actor could gain access to signup tokens sent to users with accounts that have never been previously logged into. Access to these tokens can be obtained in the following scenarios:
– If the threat actor is included on Jira issues or requests with these users
– If the threat actor is forwarded or otherwise gains access to emails containing a “View Request” link from these users.
Further, in Jira instances with the single sign-on mode enabled, external customer accounts can be affected in projects where anyone can create their own account.
Atlassian has released the required security patches for the vulnerability of the respective product versions. As such, previous versions are vulnerable to potential exploits.
The vulnerability reported on pertains to the Jira Service Management Server and Jira Service Management Data Centre product lines. The following versions are affected by this vulnerability:
Atlassian Cloud sites are not affected.
Containment, Mitigations & Remediations
It is recommended that Jira Service Management Server and Data Centre users update their respective products to a remediated version of the software as soon as possible and to monitor Atlassian’s advisory for further details. The upgraded versions are as follows:
Atlassian customers who are unable to immediately apply the relevant updates can manually upgrade the version-specific ‘servicedesk-variable-substitution-plugin JAR file’ as a temporary workaround.
Atlassian Jira currently holds 18.35% of the software configuration market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to spend their time on. As a result, Atlassian Jira products have become a prime target for threat actors. Due to the fact that software management suites have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to exfiltrate the sensitive data contained therein.
Due to the lack of detail contained within the Atlassian advisory, no specific threat actors have been identified to have exploited this vulnerability at the time of writing.
T1556 – Modify Authentication Process