Connect with us
X
Categories:

Technology

Jira Align vulnerabilities enabled malicious users to gain super admin privileges

Published

on

Jira Align vulnerabilities enabled malicious users to gain super admin privileges
Share this post:

A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.

MisAligned permissions

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”

Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.

However, Atlassian disputed this assertion in response to queries from Daily Swig, emphasizing “that Jira Align’s SaaS and Atlassian’s wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.

No exploitation detected

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.

Bala Sathiamurthy, chief information security officer at Atlassian, told Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”

RECOMMENDED  After rejecting the ISS, Russia presents a model of its intended space station.

He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”

People permissions

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the cmbRoleID parameter to 9”, or by performing an API call with a POST request containing their session cookies.

The SSRF resides in the Jira Align ManageJiraConnectors API, which manages external connections.

A user-supplied URL value called txtAPIURL points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
General6 hours ago

Skylar Grey – Everything I Need [LYRICS]

General6 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General6 hours ago

Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]

General6 hours ago

[Music] African China – Amen

General6 hours ago

[Music] African China – Baba God

General6 hours ago

African China – Baba God [LYRICS]

General6 hours ago

Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]

General7 hours ago

Passenger – Let Her Go [LYRICS]

General7 hours ago

[Music] Eminem – “No Love” Feat. Lil Wayne

General7 hours ago

Eminem – “No Love” Feat. Lil Wayne [LYRICS]

Music7 hours ago

[Music] Tatiana Manaois – Buzz Kill

General7 hours ago

Tatiana Manaois – Buzz Kill [LYRICS]

General7 hours ago

James Blunt – Goodbye My Lover [LYRICS]

General7 hours ago

Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]

General7 hours ago

James Blunt – You’re Beautiful [LYRICS]

General7 hours ago

Justin Timberlake – Mirrors [LYRICS]

General7 hours ago

[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir

General7 hours ago

Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]

General7 hours ago

Goldlink ft. Miguel – Got Friends [LYRICS]

General7 hours ago

Sia – I’m Still Here [LYRICS]

General7 hours ago

Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]

General8 hours ago

Shane McMahon – Here Comes The Money [LYRICS]

General8 hours ago

Journey – Faithfully [LYRICS]

General8 hours ago

[Music] Journey – Faithfully

General8 hours ago

Eminem – Not Afraid [LYRICS]

General8 hours ago

[Music] Journey – Don’t Stop Believin’

General8 hours ago

Journey – Don’t Stop Believin’ [LYRICS]

General8 hours ago

21 Savage – Bank Account [LYRICS]

General8 hours ago

Demi Lovato – Sober [LYRICS]

General9 hours ago

Beyonce ft. Jay-Z – Apeshit [LYRICS]

General9 hours ago

Nasty C ft. ASAP Ferg – King [LYRICS]

General9 hours ago

Lil Wayne – Uproar [LYRICS]

Ed Sheeran
Lyrics9 hours ago

Ed Sheeran – Perfect [LYRICS]

General9 hours ago

[Music] Mo’Hits All Star – Close To You

General9 hours ago

Lil Dicky ft. Chris Brown – Freaky Friday [LYRICS]

Michael Jackson
Lyrics9 hours ago

Michael Jackson – Stranger In Moscow [LYRICS]

General9 hours ago

[Music] Celine Dion – I Drove All Night

General9 hours ago

Celine Dion – I Drove All Night [LYRICS]

General9 hours ago

Tatiana Manaois – Hey Little Lady [LYRICS]

Music9 hours ago

[Music] Tatiana Manaois – Live Better

Gnash (singer)
Music4 days ago

[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you

John Legend
Music1 day ago

[INSTRUMENTAL] John Legend – All Of Me

Alan Walker
Music5 days ago

Alan Walker – Faded [INSTRUMENTAL]

21 Savage
Music2 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Wiz Khalifa
Music3 days ago

[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth

General7 days ago

[Music] Sapientdream – Pastlives

Salvation Ministry Choir Amen
Lyrics2 days ago

Salvation Ministry Choir – Amen [LYRICS]

General7 days ago

[Music] Don Omar – Danza Kuduro (feat. Lucenzo)

General5 days ago

[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya

General7 days ago

Ladé – Adulthood Anthem (Adulthood Na Scam) [Lyrics]

General7 days ago

[Music] Timbaland – Apologize ft. OneRepublic

Powfu (singer)
Music4 days ago

[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee

General5 days ago

[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia

General3 days ago

[Music] Zayn Malik – Entertainer

Wiz Khalifa - See You Again ft. Charlie Puth
Music4 days ago

[Music] Wiz Khalifa – See You Again ft. Charlie Puth

Music3 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

Anna Kendrick
Music4 days ago

[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)

General6 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General1 day ago

[Music] John Legend – Love Me Now

Right Said Fred
Music4 days ago

[Music] Right Said Fred – Stand Up (For the Champions)

Salvation Ministries Mass Choir
Music2 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General11 hours ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics2 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General12 hours ago

[Music] P!nk – Try

General6 days ago

[Music] Shaggy – Strength Of A Woman

General2 days ago

[Music] Jaden Smith – Goku

Music3 days ago

[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown

R. Kelly
Music4 days ago

[Music] R. Kelly – World’s Greatest

General1 day ago

Magic! — Rude [LYRICS]

General8 hours ago

[Music] Journey – Don’t Stop Believin’

General6 days ago

[Music] Justin Bieber – Love Me

General2 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General7 days ago

[Music] Lionel Richie – Angel

General3 days ago

[Music] Tyga ft. Offset – Taste

General12 hours ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General7 days ago

[Music] BIG SHAQ – Man’s Not Hot

General2 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General7 days ago

[Music] Shayne Ward – Breathless

General6 days ago

[Music] Post Malone – Candy Paint

General5 days ago

[Music] R Kelly – When A Woman Loves

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.