Pierluigi Paganini February 03, 2023

Atlassian fixed a critical flaw in Jira Service Management Server and Data Center that can allow an attacker to impersonate another user and gain access to a Jira Service Management instance.

Atlassian has released security updates to address a critical vulnerability in Jira Service Management Server and Data Center, tracked as CVE-2023-22501 (CVSS score: 9.4), that could be exploited by an attacker to impersonate another user and gain unauthorized access to other Jira Service Management instances under certain circumstances.

“An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances.” reads the advisory published by the Australian software services provider. “With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:

• If the attacker is included on Jira issues or requests with these users, or
• If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.”

The vulnerability affects the following versions:

• 5.3.0
• 5.3.1
• 5.3.2
• 5.4.0
• 5.4.1
• 5.5.0

The issue doesn’t impact users synced to Jira via read-only User Directories or single sign-on (SSO), however, external customers who interact with the instance via email are still affected, even when SSO is configured.

Atlassian addressed the flaw with the release of versions 5.3.3, 5.3.3, 5.5.1, and 5.6.0.

The advisory pointed out that users accessing their Jira site via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability. atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability.

Atlassian emphasized that Jira sites hosted on the cloud via an atlassian[.]net domain are not affected by the flaw and no action is required in this case.

In November 2022, the company addressed critical-severity vulnerabilities in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, a self-managed solution that provides source code collaboration for professional teams.

The vulnerability in the Bitbucket source code repository hosting service, tracked as CVE-2022-43781, is a critical command injection vulnerability.

The vulnerability received a CVSS score of 9/10 and affects Bitbucket Server and Data Center version 7 and, and version 8 if “mesh.enabled” is set to false in bitbucket.properties.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)