Atlassian has released fixes to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances.
"An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances," Atlassian said.
"With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into."
The tokens, Atlassian noted, can be obtained in either of the two scenarios -
- If the attacker is included on Jira issues or requests with these users, or
- If the attacker is forwarded or otherwise gains access to emails containing a "View Request" link from these users
It also cautioned that while users who are synced to the Jira service via read-only User Directories or single sign-on (SSO) are not affected, external customers who interact with the instance via email are affected, even when SSO is configured.
The Australian software services provider said the vulnerability was introduced in version 5.3.0 and impacts all subsequent versions 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0. Fixes have been made available in versions 5.3.3, 5.3.3, 5.5.1, and 5.6.0 or later.
Atlassian emphasized that Jira sites hosted on the cloud via an atlassian[.]net domain are not affected by the flaw and that no action is required in this case.
The disclosure arrives more than two months after the company closed two critical security holes Bitbucket Server, Data Center, and Crowd products (CVE-2022-43781 and CVE-2022-43782) that could be exploited to gain code execution and invoke privileged API endpoints.