DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products
| Our reference | DIVD-2023-00014 |
| Case lead | Rutger Hermens |
| Researcher(s) | |
| CVE(s) | |
| Product | Jira Service Management Server and Data Center |
| Versions |
|
| Recommendation | Update your Jira Service Management Server and Data Center to a fixed version to mitigate the vulnerability. |
| Status | Open |
| Last modified | 09 Mar 2023 09:47 |
Summary
Several Jira Service Management versions between 5.3.0 and 5.5.0 contain a vulnerability that allows an attacker to impersonate another user and gain access under certain circumstances. Especially vulnerable are bot accounts, as well as instances using SSO, where anyone can create their own account.
What you can do
Update your Jira Service Management Server and Data Center to one of the patched versions mentioned earlier in this case file to mitigate the vulnerability.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Jira Service Management Server and Data Center instances and verifying their version.
Timeline
| Date | Description |
|---|---|
| 01 Feb 2023 | Atlassian security advisory released |
| 23 Feb 2023 | DIVD starts researching fingerprint. |
gantt
title DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Management Products (still open) :2023-02-01, 2023-04-03
section Events
Atlassian security advisory released : milestone, 2023-02-01, 0d
DIVD starts researching fingerprint. : milestone, 2023-02-23, 0d