There's a critical vulnerability in Jira Service Management Server and Data Center. Here's what you need to know.
On February 1, 2023, Atlassian issued a security advisory for a critical vulnerability. The flaw, CVE-2023-22501, affects Jira Service Management Server and Data Center commonly used for collaboration and development. The vulnerability allows an attacker to impersonate another user and gain access to a Jira Service Management instance. Atlassian has released a security update and this should be installed as soon as possible.
An attacker could gain access to signup tokens sent to users with accounts that have never been logged into. This is possible in certain configurations when write access to a User Directory and outgoing email are enabled on a Jira Service Management instance. Access to these tokens can be obtained in two cases:
- If the attacker is included on Jira issues or requests with these users, or
- If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.
Bot accounts are particularly susceptible to this vulnerability and could be targeted since their behavior often meets the criteria an attacker would need to acquire signup tokens. Corvus has observed similar vulnerabilities lead to data theft and extortion as well as ransomware attacks.
The vulnerability affects the following versions of Jira Service Management Server and Jira Service Management Data Center:
Note: Atlassian Cloud sites are not affected. If your Jira site is accessed via an atlassian.net domain, it is hosted by Atlassian and you are not affected by the vulnerability.
- Update to a fixed version.
- If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround:
- Download the version-specific JAR file from the table at this page (see “Mitigation” section).
- Stop Jira.
- Copy the JAR file into your Jira home directory.
- For Server: <Jira_Home>/plugins/installed-plugins
- For Data Center: <Jira_Shared>/plugins/installed-plugins
- Start Jira.