1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Atlassian patches serious Jira authentication flaw

    From TechnologyDaily@1337:1/100 to All on Mon Feb 6 20:45:03 2023
    Atlassian patches serious Jira authentication flaw

    Date:
    Mon, 06 Feb 2023 20:32:20 +0000

    Description:
    The vulnerability allows threat actors to impersonate people and gain access to a Jira Service Management instance

    FULL STORY ======================================================================

    Atlassian has revealed it has fixed a major flaw in their Service Management Server and Data Center products.

    The vulnerability, tracked as CVE-2023-22501, allows threat actors to impersonate people and gain access to a Jira Service Management instance
    under certain circumstances. It has been given a severity score of 9.4,
    making it a critical flaw.

    With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to sign-up tokens sent to users with accounts that have never been logged into, Atlassian noted in its description of the vulnerability. Vulnerable versions

    The company explained that a threat actor might be able to get the tokens by being included on Jira issues or requests with the users, or if they somehow obtain an email with the View Request link.

    Bot accounts are particularly susceptible to this scenario, Atlassian further explained. On instances with single sign-on, external customer accounts can
    be affected in projects where anyone can create their own account.

    These are the Jira versions vulnerable to the flaw: 5.3.0; 5.3.1; 5.3.2; 5.4.0; 5.4.1, and 5.5.0. To be on the safe side, make sure to bring your Jira up to versions 5.3.3; 5.4.2; 5.5.1, or 5.6.0. Read more

    Atlassian is being actively exploited to compromise corporate networks


    Atlassian is suffering a whole bunch of awful security issues


    Here's our list of the best endpoint protection services right now

    Atlassian products seem to be a popular target among cybercriminals. In October last year, the US Cybersecurity and Infrastructure Agency (CISA)
    noted that a high-severity flaw found in two widely-used Atlassian Bitbucket tools - Server and Data Center, was being actively exploited in the wild.

    Before that, in July, it was reported that Jira, Confluence, and Bamboo, were vulnerable to CVE-2022-26136, an arbitrary Servlet Filter bypass that allowed threat actors to bypass custom Servlet FIlters that third-party apps use for authentication. The flaw was deemed high-severity. Here's our list of the
    best firewalls

    Via: Infosecurity Magazine



    ======================================================================
    Link to news story: https://www.techradar.com/news/atlassian-patches-serious-jira-authentication-f law


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)