- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
Atlassian Patches Critical Authentication Flaw in Jira Software
Atlassian has released multiple patches to fix a critical security vulnerability in Jira Service Management Server and Data Center.
The flaw (tracked CVE-2023-22501) has a CVSS score of 9.4 and can reportedly be exploited by attackers to impersonate other users and obtain unauthorized access to affected instances.
“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into,” reads a description of the flaw on the Jira website.
According to Atlassian, access to these tokens can be obtained either via an attacker being included on Jira issues or requests with these users or if the attacker is forwarded (or otherwise gains access to) emails containing a ‘View Request’ link.
“Bot accounts are particularly susceptible to this scenario,” the company explained. “On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”
The Jira versions affected by the vulnerability are 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1 and 5.5.0. Atlassian has confirmed patches were released for versions 5.3.3, 5.4.2, 5.5.1 and 5.6.0. The company has urged customers to update to the latest patched version to protect their Jira instances from threat actors.
In a related report, Atlassian also set up an FAQ page for the flaw, where it clarified that Atlassian Cloud instances (Jira sites hosted on the cloud via an atlassian.net domain) had not been vulnerable to it.
The patches come a few months after multiple US security agencies included another Atlassian vulnerability (CVE-2022-26134) in a list of the 20 common flaws exploited by Chinese state-sponsored actors since 2020.