26 October 2022 at 16:00 UTC
Updated: 28 October 2022 at 14:38 UTC
Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings
UPDATED A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.
Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.
A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).
Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.
Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.
Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.
“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”
Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.
However, Atlassian disputed this assertion in response to queries from The Daily Swig, emphasizing “that Jira Align’s SaaS and Atlassian’s wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.
No exploitation detected
The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.
The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.
Bala Sathiamurthy, chief information security officer at Atlassian, told The Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”
He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”
The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.
This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.
The SSRF resides in the Jira Align API, which manages external connections.
A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.
This article was updated on October 27 with the addition of comment from Atlassian.