Atlassian JIRA Servicedesk misconfiguration - Vulnerability Database

Atlassian JIRA Servicedesk misconfiguration

Description

Atlassian JIRA Service Desk is a widely-used IT service management and customer support platform. This vulnerability occurs when JIRA Service Desk is misconfigured to allow unrestricted public user registration through the /servicedesk/customer/user/signup endpoint. When this setting is enabled without proper access controls, unauthorized users can create accounts and gain access to internal service desk portals, potentially exposing sensitive support tickets, customer information, and internal communications.

Remediation

Immediately restrict public signup access to your JIRA Service Desk instance by following these steps: 1. Review Customer Access Settings: • Navigate to Project settings → Customer permissions in your JIRA Service Desk project • Review the "Who can raise requests?" setting 2. Disable Public Signup: • Change the customer access setting from "Anyone" or "Anyone with access to the Jira site" to "Only people you invite or add to this project" • Alternatively, configure "Anyone in these domains" and specify only trusted email domains 3. Disable Global Signup (if applicable): • Go to Administration → User management → User signup options • Ensure "Public signup" is disabled for the entire JIRA instance 4. Audit Existing Accounts: • Review recently created customer accounts for suspicious registrations • Remove any unauthorized accounts and review tickets they may have accessed 5. Implement Additional Controls: • Enable CAPTCHA for signup pages if public access is required • Implement email domain restrictions to limit registration to known partners or customers • Enable audit logging to monitor account creation and access patterns Consult the official Atlassian documentation (referenced above) for detailed configuration guidance specific to your JIRA Service Desk version.