Atlassian warns Jira users of a serious vulnerability that could allow attackers to gain write access to Service Management. This requires attackers to receive a specific Jira user link. A patch for the bug is available.
Atlassian warns on a separate page for the vulnerability, that tracking number CVE-2023-22501 get along. The bug is assigned a Critical rating of 9.4. Atlassian has too put a faq online with details about the vulnerability.
The vulnerability resides in Jira Service Management and Data Center, the central platform for Jira administrators. The vulnerability makes it possible for an attacker to gain access to Jira Service Management ‘under certain conditions’. An attacker could then intercept tokens sent to existing users, as well as users who have not previously logged in. This way they can create new user accounts.
This only applies to self-hosted systems and not to Atlassian Cloud users, who are now protected against the bug. Atlassian says that installations that cannot be accessed via the internet must also perform the upgrade, although the company says that the attack surface is significantly smaller for those installations.
According to Atlassian, attackers can exploit the bug if they already have a user account involved in a Jira issue, or if an attacker has access to an email containing a View Request from such a user. Atlassian says bot accounts in particular will often fall under those terms.
The vulnerability is in versions 5.3.0, 5.3.1, 5.3.2 and in 5.4.0, 5.4.1 and 5.5.0. It has since been resolved there, but administrators still need to install a patch. Atlassian has released three patches that fix the bug: 5.3.3, 5.4.2, 5.5.1, and 5.6.0.