Atlassian has launched fixes to solve a critical security flaw in Jira Assistance Administration Server and Facts Middle that could be abused by an attacker to go off as a different user and achieve unauthorized access to susceptible circumstances.
The vulnerability is tracked as CVE-2023-22501 (CVSS rating: 9.4) and has been described as a situation of broken authentication with very low attack complexity.
“An authentication vulnerability was found out in Jira Provider Management Server and Knowledge Middle which lets an attacker to impersonate a further person and attain access to a Jira Service Administration occasion less than selected circumstances,” Atlassian explained.
“With compose accessibility to a User Listing and outgoing email enabled on a Jira Service Administration occasion, an attacker could gain obtain to signup tokens sent to end users with accounts that have never ever been logged into.”
The tokens, Atlassian famous, can be attained in possibly of the two situations –
- If the attacker is bundled on Jira issues or requests with these end users, or
- If the attacker is forwarded or usually gains entry to emails containing a “See Ask for” website link from these customers
It also cautioned that when consumers who are synced to the Jira assistance via read through-only Person Directories or single indicator-on (SSO) are not affected, external clients who interact with the occasion by means of email are influenced, even when SSO is configured.
The Australian computer software companies supplier said the vulnerability was launched in edition 5.3. and impacts all subsequent versions 5.3.1, 5.3.2, 5.4., 5.4.1, and 5.5.. Fixes have been made obtainable in variations 5.3.3, 5.3.3, 5.5.1, and 5.6. or afterwards.
Atlassian emphasized that Jira web sites hosted on the cloud by way of an atlassian[.]net area are not afflicted by the flaw and that no motion is expected in this case.
The disclosure arrives far more than two months soon after the firm closed two critical security holes Bitbucket Server, Data Center, and Crowd items (CVE-2022-43781 and CVE-2022-43782) that could be exploited to get code execution and invoke privileged API endpoints.
With flaws in Atlassian solutions getting an alluring attack vector in new months, it is vital that customers update their installations to the latest variations to mitigate possible threats.
Located this posting appealing? Stick to us on Twitter and LinkedIn to read through extra distinctive information we article.
Some elements of this write-up are sourced from: