Atlassian has released a number of patches to resolve a critical security vulnerability in Jira Assistance Management Server and Data Middle.
The flaw (tracked CVE-2023-22501) has a CVSS score of 9.4 and can reportedly be exploited by attackers to impersonate other people and get hold of unauthorized obtain to influenced occasions.
“With create accessibility to a Person Listing and outgoing email enabled on a Jira Company Administration instance, an attacker could achieve obtain to signal-up tokens sent to customers with accounts that have under no circumstances been logged into,” reads a description of the flaw on the Jira web page.
In accordance to Atlassian, access to these tokens can be acquired possibly by way of an attacker becoming involved on Jira issues or requests with these users or if the attacker is forwarded (or normally gains access to) email messages that contains a ‘View Request’ link.
“Bot accounts are notably vulnerable to this scenario,” the company defined. “On situations with solitary indication-on, external customer accounts can be influenced in jobs where any individual can create their possess account.”
The Jira versions influenced by the vulnerability are 5.3., 5.3.1, 5.3.2, 5.4., 5.4.1 and 5.5.. Atlassian has confirmed patches ended up unveiled for variations 5.3.3, 5.4.2, 5.5.1 and 5.6.. The business has urged prospects to update to the hottest patched variation to protect their Jira scenarios from danger actors.
In a connected report, Atlassian also set up an FAQ site for the flaw, the place it clarified that Atlassian Cloud situations (Jira internet sites hosted on the cloud by way of an atlassian.net area) experienced not been vulnerable to it.
The patches come a number of months right after many US security organizations included another Atlassian vulnerability (CVE-2022-26134) in a listing of the 20 typical flaws exploited by Chinese condition-sponsored actors given that 2020.
Some parts of this short article are sourced from: