bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS

Versions Compared

Old Version 2

changes.mady.by.user Viktoria Tempfli

Saved on

compared with

New Version 3

changes.mady.by.user Viktoria Tempfli

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warning

This is a public space:

For the draft, please restrict the page during creation and
remove this warning when page is published



English

Contents

Table of Contents


Page properties


Date

 

Product

  • Jira Service Management Server

  • Jira Service Management Data Center

VulnerabilityCritical
CVECVE-2023-22501
Official linkhttps://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-2023-02-01-1188786458.html




English
BASM

Vulnerability in Jira Service Management Server and Data Center - CVE-2023-22501

Dear customer,

on the 1st of February 2023 at 8 PM CEST, Atlassian issued a Security Advisory for Jira Service Management Server and Jira Service Management Data Center.

Atlassian Cloud sites are not affected. If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability.

What you need to know

This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. 

An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With public signup enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:

  • If the attacker is included on Jira issues or requests with these users, or

  • If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.

Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.

Affected Versions

The following versions are affected by this vulnerability:

  • 5.3.0

  • 5.3.1

  • 5.3.2

  • 5.4.0

  • 5.4.1

  • 5.5.0

Fixed Versions

Product

Fixed Versions

Jira Service Management Server and Data Center

  • 5.3.3

  • 5.4.2

  • 5.5.1

  • 5.6.0 or later

What should I do?


Localtab Group


Localtab
activetrue
titleServer & Data Center

You use Jira Service Management Server or Data Center in a version listed in Affected Versions.

Upgrade

Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the “Fixed Versions” section of this page for details).

For a full description of the latest version of Jira Service Management Server and Data Center, see the release notes. You can download the latest version of Jira Service Management and Data Center from the download center.

Note

bitvoodoo recommends ...

Mitigation

Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability.

If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround.

Jira Service Management Versions

JAR File

5.5.0

servicedesk-variable-substitution-plugin-5.5.1-REL-0005.jar

5.4.0, 5.4.1

servicedesk-variable-substitution-plugin-5.4.2-REL-0005.jar

5.3.0, 5.3.1, 5.3.2

servicedesk-variable-substitution-plugin-5.3.3-REL-0001.jar


To update the servicedesk-variable-substitution-plugin JAR file:

  1. Download the version-specific JAR file from the table above.

  2. Go to Administration

:cog:

  1.  > Manage apps and select Manage apps.

  2. Select Upload app and upload the file you downloaded in step 1.

Note

Make sure to schedule off-peak time to perform these steps.

After the plugin is loaded, it will be verified and Jira Service Management will be restarted.

The process can take up to 10 minutes. Other Jira functionality will continue to work as expected during this time.


If you are unable to upgrade your Jira Service Management instance or upload the JAR file in the mitigation above, another option is to disable public signup.

Disabling public signup is a complete mitigation of this vulnerability.

Because this step may disrupt the intended user flow of your instance, it should be treated as a temporary measure and Atlassian recommends that customers upgrade to a fixed version as soon as possible.

To disable public signup, go to Administration > Applications and select Configuration in the Jira Service Management section. Then, in the Public signup section, select No, only admins can create accounts.

Signup won't be available, and email requests from unidentified customers won't be processed.


Localtab
titleCloud
tabIconbvicon-cloud

You use Jira Service Management Cloud.

Tip

If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you You are not affected by the vulnerability.

No need for actions





Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.



bitvoodoo Advisories BVADVIS