Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-12312

Critical severity authentication vulnerability - CVE-2023-22501

XMLWordPrintable

    • 9.4
    • Critical
    • CVE-2023-22501

      An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:

      • If the attacker is included on Jira issues or requests with these users, or
      • If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.

      Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.

      Affected versions:

      • 5.3.0
      • 5.3.1
      • 5.3.2
      • 5.4.0
      • 5.4.1
      • 5.5.0

      Fixed versions:

      • 5.3.3
      • 5.4.2
      • 5.5.1
      • 5.6.0

            [JSDSERVER-12312] Critical severity authentication vulnerability - CVE-2023-22501

            Chris added a comment -

            Hey Atlassian, 

            we are currently in the process of migrating our JSD Server into the cloud, for the time being (until the migration is finished) we would like to patch our JSD server against this CVE, but our Server license is already expired, therefore we can't patch our system. 
            Is there any solution how we can solve this? 

            Cheers, 

            Chris

            Chris added a comment - Hey Atlassian,  we are currently in the process of migrating our JSD Server into the cloud, for the time being (until the migration is finished) we would like to patch our JSD server against this CVE, but our Server license is already expired, therefore we can't patch our system.  Is there any solution how we can solve this?  Cheers,  Chris

            Husein Mohamed Ali added a comment - - edited

            Hi Team

            Why is this vulnerabilities is not showing under here?

            I am not allowed to attach screenshot so I will try to explain

            If you go to[ Security at Atlassian: Vulnerabilities | Atlassian|https://www.atlassian.com/trust/data-protection/vulnerabilities] and choose Jira Service Management and choose affected version 5.4.1.
            CVE-2023-22501 is not listed, why?

            Husein Mohamed Ali added a comment - - edited Hi Team Why is this vulnerabilities is not showing under here? I am not allowed to attach screenshot so I will try to explain If you go to[ Security at Atlassian: Vulnerabilities | Atlassian|https://www.atlassian.com/trust/data-protection/vulnerabilities] and choose Jira Service Management and choose affected version 5.4.1. CVE-2023-22501 is not listed, why?

            David Yu added a comment -

            Brian, the main Advisory here: https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Cloud is not affected. Was it ever affected? 🤷

            David Yu added a comment - Brian, the main Advisory here: https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Cloud is not affected. Was it ever affected? 🤷

            Brian Selewski added a comment -

            Does this affect Cloud users at all? 

            Brian Selewski added a comment - Does this affect Cloud users at all? 

            Daniel R added a comment -

            cea19846ecb3 and 791ddd0d0dfc the vulnerability exists in Jira Service Management, not in Jira Software. You can determine what you have installed and the versions by visiting the Applications -> Versions and Licenses screen.

            Thanks,

            Daniel R added a comment - cea19846ecb3 and 791ddd0d0dfc the vulnerability exists in Jira Service Management, not in Jira Software. You can determine what you have installed and the versions by visiting the Applications -> Versions and Licenses screen. Thanks,

            Daniel R added a comment -

            Hello atlassian113

            Correct, the factor to be taken into consideration is write permission to a user management directory, not related to file system permissions. 

            Thanks,

            Daniel R added a comment - Hello atlassian113 ,  Correct, the factor to be taken into consideration is write permission to a user management directory, not related to file system permissions.  Thanks,

            Daniel R added a comment -

            Hello 2ce37c8cf3b1,

            Your assumption is correct, Jira Software is not vulnerable. Jira Service Management versions less than 5.3.0 are not vulnerable and in the context you shared "application" and "server" are the same.

            Instructions on checking versions is a great suggestion! I'll forward this to the team responsible for writing advisories. 

            Thanks,

            Daniel R added a comment - Hello 2ce37c8cf3b1 , Your assumption is correct, Jira Software is not vulnerable. Jira Service Management versions less than 5.3.0 are not vulnerable and in the context you shared "application" and "server" are the same. Instructions on checking versions is a great suggestion! I'll forward this to the team responsible for writing advisories.  Thanks,

            Samuel Leung added a comment - - edited

            I also noticed in our environment further down the "System Info" page it states the following under 'User installed apps'

            • JIRA Service Management Application - 4.20.11

            Is "JIRA Service Management Application" a different product to the stated vulnerable product "Jira Service Management Server" ?

            The CVE Bulletin (CVE-2023-22501) is very misleading! 

            Atlassian should be directing users on where to go to find out which version they are running, AND better state which versions are vulnerable.

            Samuel Leung added a comment - - edited I also noticed in our environment further down the "System Info" page it states the following under ' User installed apps' JIRA Service Management Application - 4.20.11 Is "JIRA Service Management Application " a different product to the stated vulnerable product "Jira Service Management Server " ? The CVE Bulletin (CVE-2023-22501) is very misleading!  Atlassian should be directing users on where to go to find out which version they are running, AND better state which versions are vulnerable.

            Samuel Leung added a comment - - edited

            I assume we are not affected but the way Atlassian do their product naming and version alignment of the sub-products makes it quite a bit ambiguous.

            Is there any way to categorically know that the following version is NOT vulnerable?

            • "Atlassian Jira Project Management Software (v8.20.11)"

            Samuel Leung added a comment - - edited I assume we are not affected but the way Atlassian do their product naming and version alignment of the sub-products makes it quite a bit ambiguous. Is there any way to categorically know that the following version is NOT vulnerable? "Atlassian Jira Project Management Software (v8.20.11)"

            Gupta, Vishnu added a comment -

            We are Jira 9.X series so do we need any  upgrades?

            Gupta, Vishnu added a comment - We are Jira 9.X series so do we need any  upgrades?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              42 Start watching this issue

                Created:
                Updated:
                Resolved: