Atlassian patches serious Jira authentication flaw

Atlassian has revealed it has fixed a major flaw in their Service Management Server and Data Center products. The vulnerability, tracked a...

Atlassian has revealed it has fixed a major flaw in their Service Management Server and Data Center products.

The vulnerability, tracked as CVE-2023-22501, allows threat actors to impersonate people and gain access to a Jira Service Management instance under certain circumstances. It has been given a severity score of 9.4, making it a critical flaw. 

“With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into,” Atlassian noted in its description of the vulnerability.

Vulnerable versions

The company explained that a threat actor might be able to get the tokens by being included on Jira issues or requests with the users, or if they somehow obtain an email with the “View Request” link. 

“Bot accounts are particularly susceptible to this scenario,” Atlassian further explained. “On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.”

These are the Jira versions vulnerable to the flaw: 5.3.0; 5.3.1; 5.3.2; 5.4.0; 5.4.1, and 5.5.0. To be on the safe side, make sure to bring your Jira up to versions 5.3.3; 5.4.2; 5.5.1, or 5.6.0. 

Atlassian products seem to be a popular target among cybercriminals. In October last year, the US Cybersecurity and Infrastructure Agency (CISA) noted that a high-severity flaw found in two widely-used Atlassian Bitbucket tools - Server and Data Center, was being actively exploited in the wild. 

Before that, in July, it was reported that Jira, Confluence, and Bamboo, were vulnerable to CVE-2022-26136, an arbitrary Servlet Filter bypass that allowed threat actors to bypass custom Servlet FIlters that third-party apps use for authentication. The flaw was deemed high-severity. 

Via: Infosecurity Magazine



from TechRadar - All the latest technology news https://ift.tt/H8s1KfY
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,110,Video,5,XIAOMI,13,YouTube - 9to5Google,109,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Atlassian patches serious Jira authentication flaw
Atlassian patches serious Jira authentication flaw
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2023/02/atlassian-patches-serious-jira.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2023/02/atlassian-patches-serious-jira.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy