Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Critical broken authentication vulnerability in Jira management products

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – Critical (CVSS score 9.4): Compromise may result in the loss of confidentiality and integrity of data.

On 1st February 2023, Atlassian published an advisory for a security vulnerability, currently tracked as CVE-2023-22501, relating to a critical broken authentication flaw affecting its Jira Service Management Server and Data Centre products. The vulnerability was not detected to have been exploited in the wild as of 6th February 2023.

Impact

Successful exploitation of this vulnerability will allow a threat actor to impersonate another user and therefore gain access to a Jira Service Management instance, when certain conditions are met. When write access to a user directory and outgoing email rules are enabled on a Jira Service Management instance, a threat actor could gain access to signup tokens sent to users with accounts that have never been previously logged into. Access to these tokens can be obtained in the following scenarios:

– If the threat actor is included on Jira issues or requests with these users
– If the threat actor is forwarded or otherwise gains access to emails containing a “View Request” link from these users.

Further, in Jira instances with the single sign-on mode enabled, external customer accounts can be affected in projects where anyone can create their own account.

Vulnerability Detection

Atlassian has released the required security patches for the vulnerability of the respective product versions. As such, previous versions are vulnerable to potential exploits.

Affected Products

The vulnerability reported on pertains to the Jira Service Management Server and Jira Service Management Data Centre product lines. The following versions are affected by this vulnerability:

– 5.3.0
– 5.3.1
– 5.3.2
– 5.4.0
– 5.4.1
– 5.5.0

Atlassian Cloud sites are not affected.

Containment, Mitigations & Remediations

It is recommended that Jira Service Management Server and Data Centre users update their respective products to a remediated version of the software as soon as possible and to monitor Atlassian’s advisory for further details. The upgraded versions are as follows:

– 5.3.3
– 5.4.2
– 5.5.1
– 5.6.0

Atlassian customers who are unable to immediately apply the relevant updates can manually upgrade the version-specific ‘servicedesk-variable-substitution-plugin JAR file’ as a temporary workaround.

Threat Landscape

Atlassian Jira currently holds 18.35% of the software configuration market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to spend their time on. As a result, Atlassian Jira products have become a prime target for threat actors. Due to the fact that software management suites have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to exfiltrate the sensitive data contained therein.

Threat Group

Due to the lack of detail contained within the Atlassian advisory, no specific threat actors have been identified to have exploited this vulnerability at the time of writing.

Mitre Methodologies

Credential Access:

T1556 – Modify Authentication Process

Further Information

Jira Advisory
Rapid7 Blog

 

Intelligence Terminology Yardstick