--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Security Flaw in Jira Service Management Server and Data Center' version: '1.0' number: '2023-006' original_date: 'February 1, 2023' date: 'February 3, 2023' --- _History:_ * _03/02/2023 --- v1.0 -- Initial publication_ # Summary A critical security flaw has been discovered in Jira Service Management Server and Data Center that can be exploited by an attacker to impersonate another user and gain unauthorized access to instances. The vulnerability is tracked as `CVE-2023-22501` with a CVSS score of 9.4 [1]. # Technical Details If the attacker has write access to a User Directory and outgoing email enabled, it can access sign-up tokens sent to users who have never logged into their accounts. Access to the tokens can be obtained either by being included in Jira issues or requests with these users, or by gaining access to emails containing a _View Request_ link. Atlassian notes that external customer accounts can be affected in projects where anyone can create their own account, even if the instance is configured with single sign-on. # Affected Products The vulnerability was introduced in version 5.3.0 and impacts all subsequent versions 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0. Atlassian notes that users synced to the Jira service via read-only User Directories or single sign-on (SSO) are not affected. However, external customers who interact with the instance via email are affected, even when SSO is configured. Jira sites hosted on the cloud via an `atlassian[.]net` domain are not affected. # Recommendations Atlassian recommends upgrading to the latest fixed versions 5.3.3, 5.5.1, and 5.6.0 or later to remediate this vulnerability. As a temporary workaround, if an upgrade is not immediately possible, a version-specific JAR file can be manually upgraded [1]. # References [1]