A critical vulnerability in Jira Service Management (Server and Data Center) could allow an unauthenticated attacker to impersonate other users and gain remote access. Read how to defend yourself.
The vulnerability affects JSM versions from 5.3.0 to 5.5.0 inclusive. The vulnerability allows an attacker to impersonate another user and gain access to an instance under certain circumstances. Details can be found on the vulnerability page.
How to defend yourself?
You should upgrade to one of the safe versions:
- 5.3.3
- 5.4.2
- 5.5.1
- 5.6.0 or later
If at this point it is not possible to install JSM in one of the listed versions, you should use a temporary workaround in the form of a manual “patch” installation. Procedure:
- Download the appropriate JAR file from the Atlassian website. The patch version depends on the version of JSM you have installed
- stop Jira
- copy the file to the application’s home directory
- for Server version <Jira-home>/plugins/installed-plugins
- for Data Center version <Jira_Shared>/plugins/installed-plugins
- start Jira
Good luck!