Technology
Jira Align vulnerabilities enabled malicious users to gain super admin privileges
A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.
Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.
A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).
Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.
MisAligned permissions
Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.
Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.
“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”
Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.
However, Atlassian disputed this assertion in response to queries from Daily Swig, emphasizing “that Jira Align’s SaaS and Atlassian’s wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.
No exploitation detected
The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.
The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.
Bala Sathiamurthy, chief information security officer at Atlassian, told Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”
He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”
People permissions
The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.
This could either be done by “intercepting the role change request directly to the API and modifying the cmbRoleID parameter to 9”, or by performing an API call with a POST request containing their session cookies.
The SSRF resides in the Jira Align ManageJiraConnectors API, which manages external connections.
A user-supplied URL value called txtAPIURL points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.
Skylar Grey – Everything I Need [LYRICS]
[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey
Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]
[Music] African China – Amen
[Music] African China – Baba God
African China – Baba God [LYRICS]
Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]
Passenger – Let Her Go [LYRICS]
[Music] Eminem – “No Love” Feat. Lil Wayne
Eminem – “No Love” Feat. Lil Wayne [LYRICS]
[Music] Tatiana Manaois – Buzz Kill
Tatiana Manaois – Buzz Kill [LYRICS]
James Blunt – Goodbye My Lover [LYRICS]
Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]
James Blunt – You’re Beautiful [LYRICS]
Justin Timberlake – Mirrors [LYRICS]
[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir
Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]
Goldlink ft. Miguel – Got Friends [LYRICS]
Sia – I’m Still Here [LYRICS]
Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]
Shane McMahon – Here Comes The Money [LYRICS]
Journey – Faithfully [LYRICS]
[Music] Journey – Faithfully
Eminem – Not Afraid [LYRICS]
[Music] Journey – Don’t Stop Believin’
Journey – Don’t Stop Believin’ [LYRICS]
21 Savage – Bank Account [LYRICS]
Demi Lovato – Sober [LYRICS]
Beyonce ft. Jay-Z – Apeshit [LYRICS]
Nasty C ft. ASAP Ferg – King [LYRICS]
Lil Wayne – Uproar [LYRICS]
Ed Sheeran – Perfect [LYRICS]
[Music] Mo’Hits All Star – Close To You
Lil Dicky ft. Chris Brown – Freaky Friday [LYRICS]
Michael Jackson – Stranger In Moscow [LYRICS]
[Music] Celine Dion – I Drove All Night
Celine Dion – I Drove All Night [LYRICS]
Tatiana Manaois – Hey Little Lady [LYRICS]
[Music] Tatiana Manaois – Live Better
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
[INSTRUMENTAL] John Legend – All Of Me
Alan Walker – Faded [INSTRUMENTAL]
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
[Music] Sapientdream – Pastlives
Salvation Ministry Choir – Amen [LYRICS]
[Music] Don Omar – Danza Kuduro (feat. Lucenzo)
[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya
Ladé – Adulthood Anthem (Adulthood Na Scam) [Lyrics]
[Music] Timbaland – Apologize ft. OneRepublic
[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee
[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia
[Music] Zayn Malik – Entertainer
[Music] Wiz Khalifa – See You Again ft. Charlie Puth
[Music] Exalted Tribe (HICC) – We Dey Halla
[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)
[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey
[Music] John Legend – Love Me Now
[Music] Right Said Fred – Stand Up (For the Champions)
[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)
[Music] Celine Dion – If That’s What It Takes
Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]
[Music] P!nk – Try
[Music] Shaggy – Strength Of A Woman
[Music] Jaden Smith – Goku
[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown
[Music] R. Kelly – World’s Greatest
Magic! — Rude [LYRICS]
[Music] Journey – Don’t Stop Believin’
[Music] Justin Bieber – Love Me
[Music] Cardi B – Bartier Cardi ft. 21 Savage
[Music] Lionel Richie – Angel
[Music] Tyga ft. Offset – Taste
[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess
[Music] BIG SHAQ – Man’s Not Hot
[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
[Music] Shayne Ward – Breathless
[Music] Post Malone – Candy Paint
[Music] R Kelly – When A Woman Loves
-
Technology2 years agoVoIP Number: Everything You Need To Know
-
Music4 days ago[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
-
Music1 day ago[INSTRUMENTAL] John Legend – All Of Me
-
Music5 days agoAlan Walker – Faded [INSTRUMENTAL]
-
Music2 days ago[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
-
Music3 days ago[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
-
Music1 week ago[Music] Akon – Sorry Blame It On Me
-
ANE Stories6 years ago[STORY] AMAKA THE LESBIAN (Complete Episodes)