On February 1, 2023, Atlassian issued an advisory for CVE-2023-22501, a critical broken authentication vulnerability affecting its Jira Service Management Server and Data Center offerings. Jira Service Management Server and Jira Service Management Data Center are additional features that run on top of Jira Core.
Here’s everything you need to know about CVE-2023-22501:
What is CVE-2023-22501?
Under certain conditions, the vulnerability “allows an attacker to impersonate another user and gain access to a Jira Service Management instance,” according to Atlassian’s advisory. An attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into if they have write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Access to these tokens can be obtained in two cases:
- If the attacker is included on Jira issues or requests with these users
- If the attacker is forwarded or otherwise gains access to emails from these users that contain a “View Request” link.
Bot accounts are especially vulnerable in this scenario. External customer accounts may be affected in projects where anyone can create their own account on instances with single sign-on.”
Does CVE-2023-22501 affect me?
CVE-2023-22501 affects the following Jira Service Management Server and Data Center versions:
- 5.3.0
- 5.3.1
- 5.3.2
- 5.4.0
- 5.4.1
- 5.5.0
Atlassian Cloud sites (Jira sites accessed via an atlassian.net domain) are not affected.
Has CVE-2023-22501 been actively exploited in the wild?
As of February 6, 2023, the vulnerability had not been exploited in the wild. However, given the popularity of Atlassian products among attackers over the last two years, it’s worth remaining vigilant.
Fixing CVE-2023-22501
To mitigate the threat of CVE-2023-22501, users of Jira Service Management Server and Data Center should install a patched version of the software as soon as possible and keep an eye on Atlassian’s advisory for updates. Atlassian customers who are unable to upgrade Jira Service Management right away can temporarily get around this by manually upgrading the version-specific service desk-variable-substitution-plugin JAR file.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- VulnRX – vulnerability fix database
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- OWASP Top 10 vulnerabilities 2022: what we learned
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate, and communicate your cyber risk across your entire organization. Get a demo today.
