CVE-2023-22501
CVE-2023-22501 is a critical-severity vulnerability in Atlassian Jira Service Management with a CVSS 3.x base score of 9.1. Its EPSS exploit-prediction score of 16% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- EPSS exploit prediction: 16% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-287
- Affected product: Atlassian Jira Service Management
- Published:
- Last modified:
Description
An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.
Frequently asked questions
- What is CVE-2023-22501?
- An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances_._ With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: * If the attacker is included on Jira issues or requests with these users, or * If the attacker is forwarded or otherwise gains access to emails containing a “View Request” link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account.
- How severe is CVE-2023-22501?
- CVE-2023-22501 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2023-22501 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 16% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-22501?
- CVE-2023-22501 primarily affects Atlassian Jira Service Management. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-22501?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2023-22501 published?
- CVE-2023-22501 was published on 2023-02-01 and last updated on 2026-06-17.
References
Affected products (4)
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*
- cpe:2.3:a:atlassian:jira_service_management:5.5.0:*:*:*:data_center:*:*:*
- cpe:2.3:a:atlassian:jira_service_management:5.5.0:*:*:*:server:*:*:*
More vulnerabilities in Atlassian Jira Service Management
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2022-0540 — Critical (CVSS 9.8): A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a…
- CVE-2020-36239 — Critical (CVSS 9.8): Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before…
- CVE-2019-13990 — Critical (CVSS 9.8): initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE…
- CVE-2024-21683 — High (CVSS 8.8): This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center…
- CVE-2022-26137 — High (CVSS 8.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet…
All CVEs affecting Atlassian Jira Service Management →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →