Security News > 2023 > February > Atlassian's Jira Service Management Found Vulnerable to Critical Vulnerability
Atlassian has released fixes to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances.
The vulnerability is tracked as CVE-2023-22501 and has been described as a case of broken authentication with low attack complexity.
"An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances," Atlassian said.
"With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into."
The Australian software services provider said the vulnerability was introduced in version 5.3.0 and impacts all subsequent versions 5.3.1, 5.3.2, 5.4.0, 5.4.1, and 5.5.0.
With flaws in Atlassian products becoming an alluring attack vector in recent months, it's crucial that users upgrade their installations to the latest versions to mitigate potential threats.
News URL
https://thehackernews.com/2023/02/atlassians-jira-software-found.html
Related news
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Jira Down: Atlassian users experiencing degraded performance (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-01 | CVE-2023-22501 | Improper Authentication vulnerability in Atlassian Jira Service Management An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. | 9.1 |