The researcher says that it was theoretically conceivable to move laterally or upward beyond the instance. Jira Align vulnerabilities allow getting super admin rights.

A security researcher cautions that a pair of Jira Align security flaws might, in the “worst-case scenario,” be exploited by malicious users with low privileges to attack Atlassian’s cloud infrastructure.

Jira Align is a software-as-a-service (SaaS) platform that enables businesses to grow their cloud deployments of the wildly popular bug-tracking and project management tool Atlassian Jira. Jira Align vulnerabilities allow getting super admin rights.

The MasterUserEdit API is vulnerable to a high severity (CVSS 8.8) authorization controls bug that enables users with the ‘people’ permission to increase their privilege or any other user’s privilege to “super admin” (CVE-2022-36803).

Attackers may then utilize a server-side request forgery (SSRF) problem of medium severity (CVSS 4.9) (CVE-2022-36802) to obtain the AWS login information for the Atlassian service account that set up the Jira Align instance.

MisAligned permissions

According to Jake Shafer, a senior security consultant at Bishop Fox. Super admins have the ability to change security settings, reset user accounts, and reconfigure Jira connections, among other things.

He also said him as saying that attackers could also access “whatever the SaaS client has in their Jira deployment (or simply take the whole thing offline. But I would assume there are some backups in that scenario)”.

“Based on my pen testing experience, that might include everything from client and login information to information on unpatched vulnerabilities in their own software and apps.

“While my testing was stopped at the edge of the Atlassian infrastructure for good cause, given the correct circumstances [SSRF]. It may imply acquiring access to other client data through lateral or upward migration over Atlassian’s AWS.”

Since Atlassian provides these customers with cloud tenants, accessing the SaaS provider’s infrastructure directly is pretty much the worst-case situation.

The bugs were fixed in version 10.109.3, which was released on July 22, 2022, and they affect version 10.107.4.

People permissions

The setting of an instance determines the function of the “people” permissions. Shafer said in a Bishop Fox security alert, “In the sandbox environment that was built for testing purposes. This permission was added to the “programme manager” job, but could be exploited by any role with the “people” permission.

The API call may be made using a POST request including their session cookies. It could be done by “intercepting the role change request straight to the API and altering the cmbRoleID parameter to 9”.

The Jira Align ManageJiraConnectors API, which controls external connections, houses the SSRF.

TxtAPIURL, a user-supplied URL value, points to the appropriate API address. Jira Align automatically added /rest/api/2/ to the URL on the server. But Shafer cautioned that the additional ‘#’ addition “would allow an attacker to specify any URL.”

The flaws were discovered on May 31, 2022, and Atlassian was notified on June 6; on June 28. The vendor released a hotfix version to address the SSRF.