Security researchers have disclosed a critical broken authentication vulnerability in a couple of Jira products. The vulnerability is assigned a CVE ID CVE-2023-22501 with a CVSS score of 9.4, which is Critical in severity and is a broken authentication vulnerability in Jira Service Management Server and Jira Service Management Data Center, a service management platform designed for IT and customer service teams to manage requests and incident. The successful exploitation of this broke authentication vulnerability could allow a remote, unauthenticated attacker to impersonate another user and gain access to the affected versions of Jira Service Management instances. It is important to learn how to fix CVE-2023-22501, a critical broken authentication vulnerability in Jira Service Management Server and Jira Service Management Data Center. Let’s get started.
A short note about Jira Service Management Server and Data Center
Jira Service Management (previously known as Jira Service Desk) is a top-notch platform for IT and customer service teams to keep track of requests and incidents in a neat and organized fashion. With exciting features like automation, collaboration, and even Service Level Agreement (SLA) management, it’s no wonder why this platform is so sought after!
But wait, there’s more! Jira Service Management comes in two different editions – the Server edition and the Data Center edition. The Server edition is perfect for small to medium-sized teams, while the Data Center edition is the solution for big enterprises who want the highest level of availability, scalability, and performance. The Data Center edition has extra features like clustering and load balancing, not to mention improved security, performance, and reliability. It’s the ultimate package!
Summary Of CVE-2023-22501
This is a broken authentication vulnerability in Jira Service Management Server and Jira Service Management Data Center, which enables an attacker to gain access to the vulnerable Jira Service Management instance by impersonating another user. The attacker could exploit this vulnerability on the Jira Service Management instances on the outgoing email option enabled with write access to the User Directory. These features help the attacker to obtain signup tokens sent to the new legitimate user who has never been login into the Jira Service Management Servers and Data Centers.
According to the Vendor, the attacker can obtain signup tokens of the new legitimate user in two ways:
- The attacker should be included on Jira issues or requests with legitimate users, or
- Access to emails containing a “View Request” link from legitimate users by any way
The issue is being tracked as CVE-2023-22501 is rated with a severity level of this flaw as ‘critical’ as per Atlassian. Let’s see the CVSS score and vector of the vulnerability and how to fix the CVE-2023-22501 vulnerability in the coming sessions. Please check out the FAQ page for more details.
| Associated CVE ID | CVE-2023-22501 |
| Description | A Critical Broken Authentication Vulnerability in Jira Jira Service Management Server and Jira Service Management Data Center. |
| Associated ZDI ID | – |
| CVSS Score | 9.4 Critical |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| Impact Score | 5.5 |
| Exploitability Score | 3.9 |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (a) | Low |
Atlassian said, “Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”– Vendor
Important points to know about CVE-2023-22501 (A broken authentication vulnerability in Jira Service Management Servers and Data Centers):
- The flaw affects only self-hosted products: Jira Service Management Servers and Data Centers.
- Jira Service Management Cloud is not vulnerable, and no action is required.
- Users connected to the Jira service via read-only User Directories or single sign-on (SSO) are not affected.
- External users who interact with the instance via email are affected, even when SSO is configured.
Jira Products Vulnerable to CVE-2023-22501
This flaw affects Jira Service Management Servers and Data Centers versions from 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0:
- 5.3.0
- 5.3.1
- 5.3.2
- 5.4.0
- 5.4.1
- 5.5.0
How to Fix CVE-2023-22501- A Critical Broken Authentication Vulnerability in Jira Products?
Atlassian responded to this flaw by releasing patched versions of Jira Service Management Servers and Data Centers. Atlassian recommends upgrading vulnerable versions to any of the fixed versions to fix the vulnerability. Please see the table below to know the fixed versions of the Jira Service Management Server and Data Center. Download the latest versions of the Jira Service Management Server and Data Center from the official download center.
Refer to this Jira documentation to install or upgrade the Jira Service Management Servers and Data Centers. Or contact support for assistance.
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| Jira Service Management Server and Data Center | 5.3.05.3.15.3.25.4.05.4.15.5.0 | 5.3.35.4.25.5.15.6.0 or later |
If in case, you are not in a position to upgrade Jira Service Management Server and Data Center any time soon, we recommend you to manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround. This would work as a roadblock and soften the attack intensity. This doesn’t mean you are covered from the attack. This just minimise the attack surface.
| Jira Service Management Versions | JAR File |
|---|---|
| 5.5.0 | servicedesk-variable-substitution-plugin-5.5.1-REL-0005.jar |
| 5.4.0, 5.4.1 | servicedesk-variable-substitution-plugin-5.4.2-REL-0005.jar |
| 5.3.0, 5.3.1, 5.3.2 | servicedesk-variable-substitution-plugin-5.3.3-REL-0001.jar |
Follow these simple steps to update the servicedesk-variable-substitution-plugin JAR file:
- Stop the Jira services
- Download the corresponding JAR file shown in the above table, copy the JAR file into your Jira home directory
- For Server:
<Jira_Home>/plugins/installed-plugins - For Data Center:
<Jira_Shared>/plugins/installed-plugins
- For Server:
- Start the Jira services