Headline
CVE-2023-22501: [JSDSERVER-12312] Critical severity authentication vulnerability - CVE-2023-22501
An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.
An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases:
If the attacker is included on Jira issues or requests with these users, or
If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users.
Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.
Affected versions:
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.5.0
Fixed versions:
- 5.3.3
- 5.4.2
- 5.5.1
- 5.6.0
Related news
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. The list of the flaws is below - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: Microsoft Tags: Apple Tags: Adobe Tags: SAP Tags: Citrix Tags: Cisco Tags: Atlassian Tags: Google Tags: Mozilla Tags: Forta Tags: OpenSSH Tags: CVE-2023-21823 Tags: CVE-2023-21715 Tags: OneNote Tags: CVE-2023-23376 Tags: CVE-2023-21706 Tags: CVE-2023-21707 Tags: CVE-2023-21529 Tags: CVE-2023-21716 Tags: CVE-2023-23378 Tags: CVE-2023-22501 Tags: CVE-2023-24486 Tags: CVE-2023-24484 Tags: CVE-2023-24484 Tags: CVE-2023-24483 Tags: CVE-2023-25136 Tags: GoAnywhere Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors (Read more...) The post Update now! February's Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Atlassian has released fixes to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances. The vulnerability is tracked as CVE-2023-22501 (CVSS score: 9.4) and has been described as a case of broken authentication with low attack complexity. "An