DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products
| Our reference | DIVD-2023-00014 |
| Case lead | Rutger Hermens |
| Researcher(s) | |
| CVE(s) | |
| Product | Jira Service Management Server and Data Center |
| Versions |
|
| Recommendation | Update your Jira Service Management Server and Data Center to a fixed version (5.3.3, 5.4.2, 5.5.1, 5.6.0, or later) to mitigate the vulnerability. |
| Status | Closed |
| Last modified | 10 Apr 2023 12:59 CEST |
Summary
Several Jira Service Management versions between 5.3.0 and 5.5.0 contain a vulnerability that allows an attacker to impersonate another user and gain access under certain circumstances. Especially vulnerable are bot accounts, as well as instances using SSO, where anyone can create their own account.
What you can do
Update your Jira Service Management Server and Data Center to one of the patched versions mentioned earlier in this case file to mitigate the vulnerability.
What we are doing
After creating a fingerprint, we started scanning the internet for possibly compromised servers.
From the data we gathered, we concluded there were no vulnerable servers directly accessible from the internet.
Timeline
| Date | Description |
|---|---|
| 01 Feb 2023 | Atlassian security advisory released |
|
23 Feb 2023- 15 Mar 2023 |
DIVD starts researching fingerprint. |
|
16 Mar 2023- 01 Apr 2023 |
DIVD starts scanning the internet for vulnerable instances. |
| 05 Apr 2023 | Case closed. |
gantt
title DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products (63 days) :2023-02-01, 2023-04-05
section Events
Atlassian security advisory released : milestone, 2023-02-01, 0d
DIVD starts researching fingerprint. (20 days) : 2023-02-23, 2023-03-15
DIVD starts scanning the internet for vulnerable instances. (16 days) : 2023-03-16, 2023-04-01
Case closed. : milestone, 2023-04-05, 0d