Skip to the content.

DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products

Our reference DIVD-2023-00014
Case lead Rutger Hermens
Researcher(s)
CVE(s)
Product Jira Service Management Server and Data Center
Versions
  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.4.0
  • 5.4.1
  • 5.5.0
Recommendation Update your Jira Service Management Server and Data Center to a fixed version to mitigate the vulnerability.
Status Open
Last modified 09 Mar 2023 09:47

Summary

Several Jira Service Management versions between 5.3.0 and 5.5.0 contain a vulnerability that allows an attacker to impersonate another user and gain access under certain circumstances. Especially vulnerable are bot accounts, as well as instances using SSO, where anyone can create their own account.

What you can do

Update your Jira Service Management Server and Data Center to one of the patched versions mentioned earlier in this case file to mitigate the vulnerability.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Jira Service Management Server and Data Center instances and verifying their version.

Timeline

Date Description
01 Feb 2023 Atlassian security advisory released
23 Feb 2023 DIVD starts researching fingerprint.
gantt title DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products (still open) :2023-02-01, 2023-04-03 section Events Atlassian security advisory released : milestone, 2023-02-01, 0d DIVD starts researching fingerprint. : milestone, 2023-02-23, 0d

More information