Atlassian Announces Critical Jira Service Management Vulnerability

Atlassian announced a new critical vulnerability in Jira Service Management Server and Data Center, tracked as CVE-2023-22501. Here’s what you need to know.

Who is Atlassian and what is Jira Service Management?

Atlassian is a global company that develops products to support collaboration and product development – including Jira Service Management. Built on Jira – a platform designed to help teams plan, assign, track, report and manage work – Jira Service Management provides a framework that helps structure an organization’s end-to-end delivery of IT services, including interactions with clients.

What is the situation?

The Jira Service Management vulnerability is being described as broken authentication with a low-level attack complexity. According to Atlassian, the vulnerability “allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances.”

Atlassian has calculated a severity score of 9.4 out of 10, rating this as critical.

Per Atlassian, the vulnerability was introduced in version 5.3.0 and the following versions are affected:

  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.4.0
  • 5.4.1
  • 5.5.0

Atlassian is urging administrators to patch this vulnerability as soon as possible to one of the following “fixed” versions:

  • 5.3.3
  • 5.4.2
  • 5.5.1
  • 5.6.0 or later

In addition, Atlassian emphasized that any Jira sites hosted on the cloud via an Atlassian[.]net domain are not affected, and no action is required.

What is Nuspire doing?

Nuspire is not affected by this vulnerability.

What should I do?

Organizations that utilize an on-prem version of Jira Service Management Server and Data Center should prioritize patching this critical vulnerability as soon as possible in accordance with Atlassian’s documentation.

Atlassian’s advisory regarding this vulnerability, including affected versions and patching information, can be found here.

Atlassian has emphasized that cloud-hosted versions of Jira on an Atlassian[.]net domain are not affected and there is no action required.

Have you registered for our next event?