Atlassian is a global company that develops products to support collaboration and product development – including Jira Service Management. Built on Jira – a platform designed to help teams plan, assign, track, report and manage work – Jira Service Management provides a framework that helps structure an organization’s end-to-end delivery of IT services, including interactions with clients.
The Jira Service Management vulnerability is being described as broken authentication with a low-level attack complexity. According to Atlassian, the vulnerability “allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances.”
Atlassian has calculated a severity score of 9.4 out of 10, rating this as critical.
Per Atlassian, the vulnerability was introduced in version 5.3.0 and the following versions are affected:
Atlassian is urging administrators to patch this vulnerability as soon as possible to one of the following “fixed” versions:
In addition, Atlassian emphasized that any Jira sites hosted on the cloud via an Atlassian[.]net domain are not affected, and no action is required.
Nuspire is not affected by this vulnerability.
Organizations that utilize an on-prem version of Jira Service Management Server and Data Center should prioritize patching this critical vulnerability as soon as possible in accordance with Atlassian’s documentation.
Atlassian’s advisory regarding this vulnerability, including affected versions and patching information, can be found here.
Atlassian has emphasized that cloud-hosted versions of Jira on an Atlassian[.]net domain are not affected and there is no action required.