Skip to the content.

DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products

Our reference DIVD-2023-00014
Case lead Rutger Hermens
Researcher(s)
CVE(s)
Product Jira Service Management Server and Data Center
Versions
  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.4.0
  • 5.4.1
  • 5.5.0
Recommendation Update your Jira Service Management Server and Data Center to a fixed version (5.3.3, 5.4.2, 5.5.1, 5.6.0, or later) to mitigate the vulnerability.
Status Closed
Last modified 10 Apr 2023 12:59

Summary

Several Jira Service Management versions between 5.3.0 and 5.5.0 contain a vulnerability that allows an attacker to impersonate another user and gain access under certain circumstances. Especially vulnerable are bot accounts, as well as instances using SSO, where anyone can create their own account.

What you can do

Update your Jira Service Management Server and Data Center to one of the patched versions mentioned earlier in this case file to mitigate the vulnerability.

What we are doing

After creating a fingerprint, we started scanning the internet for possibly compromised servers.

From the data we gathered, we concluded there were no vulnerable servers directly accessible from the internet.

Timeline

Date Description
01 Feb 2023 Atlassian security advisory released
23 Feb 2023-
15 Mar 2023
DIVD starts researching fingerprint.
16 Mar 2023-
01 Apr 2023
DIVD starts scanning the internet for vulnerable instances.
05 Apr 2023 Case closed.
gantt title DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products (63 days) :2023-02-01, 2023-04-05 section Events Atlassian security advisory released : milestone, 2023-02-01, 0d DIVD starts researching fingerprint. (20 days) : 2023-02-23, 2023-03-15 DIVD starts scanning the internet for vulnerable instances. (16 days) : 2023-03-16, 2023-04-01 Case closed. : milestone, 2023-04-05, 0d

More information