A critical vulnerability in Atlassian’s Jira Service Management Server and Data Center could allow an unauthenticated attacker to impersonate other users and gain remote access to systems.

Atlassian explains that the security issue affects versions 5.3.0 through 5.5.0 and hackers can gain “access to a Jira Service Management instance under certain circumstances.”

Tracked as CVE-2023-22501, the vulnerability has a critical severity score of 9.4, as calculated by Atlassian. It could be used to target bot accounts in particular, due to their frequent interactions with other users and their increased likelihood of being included in Jira issues or requests or receiving emails with a link” Show demand” – either condition being necessary to acquire registration tokens.

Atlassian has released updates that resolve the issue and advise admins to upgrade to releases 5.3.3, 5.4.2, 5.5.1and 5.6.0 or later.

If the update cannot be installed immediately, the vendor has provided a workaround in the form of a JAR file which can be used to manually upgrade the “servicedesk-variable-substitution-plugin” as described in the steps below:

1. Download the version specific JAR file from the advisory
2. Stop Jira
3. Copy the JAR file to Jira’s home directory (“/plugins/installed-plugins” for servers or “ for data centers)
4. Restart the service

Atlassian also released a FAQs explaining that upgrading is recommended even if the instances are not exposed to the public internet or have an external user directory with single sign-on (SSO) enabled.

As a caveat, password changes made by an attacker will not generate an email notification to the account owner, making it harder to detect a compromise.

However, after applying the available security update or JAR file workaround, administrators can check which accounts have changed their passwords and logged in since the installation of the previous version, which could reveal unauthorized access to accounts.

Atlassian recommends that administrators force password resets of all potentially hacked users and ensure that their email addresses are correct.

If a breach has been detected, the recommendation is to immediately shut down and disconnect the compromised server from the network to minimize the scope of the attack.