Threat Advisory

Critical Vulnerability found in Atlassian’s Jira Service Management

February 6, 2023 | By Accorian

A critical security flaw in Jira Service Management Server and Data Centre has been fixed by Atlassian. The flaw has been identified as CVE-2023-22501 (CVSS rating: 9.4) and is described as a case of broken authentication with a simple attack vector. An attacker could take advantage of the flaw to pose to another user and access affected instances without authorization. This vulnerability affects Jira Service Management Server and Data Centre versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0, respectively.

According to Atlassian, an attacker could gain access to signup tokens with write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Users who have never signed into their accounts are sent the tokens. The tokens can be accessed in two ways:

  • If the attacker has access to requests or issues on Jira that include these users, or
  • If the attacker is forwarded or obtains access to emails containing a “View Request” link from these users.

Particularly vulnerable in this case are bot accounts. Users who are synchronized to the Jira service by read-only User Directories or single sign-on (SSO) are unaffected, however instances with single sign-on, external customer accounts can be affected in projects in which anyone can make their own account. Atlassian further noted that the issue does not affect Jira sites hosted in the cloud using an atlassian[.]net domain, and no remedial action is necessary in this scenario.

Accorian advises you to upgrade each of your impacted installations to 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later considering Atlassian products’ recent emergence as an alluring attack vector.


Threat Advisory Team 


Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide