Vulnerabilities addressed recently in Jira Align could allow an attacker to elevate privileges, obtain Atlassian cloud credentials, and potentially go after Atlassian infrastructure, researchers with Bishop Fox warn.
Enterprise software-as-a-service (SaaS) for the planning of development lifecycles, Jira Align helps software companies connect teams to the business, unlike Jira, which connects teams to each other.
Bishop Fox researchers have identified two high-severity security defects in Jira Align and warn that an attack exploiting both could have a critical impact not only on Jira Align, but on Atlassian infrastructure as well.
The first of the bugs is described as a server-side request forgery (SSRF) flaw in the application’s ‘Connectors’ settings. An attacker could exploit this vulnerability to “retrieve the AWS credentials of the Atlassian service account that provisioned the Jira Align instance,” Bishop Fox explains.
The second issue is described as insufficient authorization controls in the ‘People’ permission, allowing any user that has this permission to modify their role and become Super Admin, the highest role in Jira Align.
Having Super Admin privileges, a malicious attacker could access all data in Jira Align, change user or account settings, and alter the security control for the application.
Bishop Fox told SecurityWeek that an attacker with low-level user access could exploit the second vulnerability to become Super Admin and then leverage the SSRF to obtain Atlassian cloud credentials.
“If the Atlassian AWS environment was not properly locked down, that attacker would have been able to go after Atlassian infrastructure due to the fact that the credentials are not specific to the client, but for the Atlassian SaaS,” Bishop Fox said.
In this worst-case scenario, the attacker’s actions could represent a risk for multiple Atlassian clients that are connected to the infrastructure.
Tracked as CVE-2022-36802 and CVE-2022-36803, both vulnerabilities could be exploited remotely. The bugs were addressed in July with the release of Jira Align 10.109.3.
UPDATE: On October 26, Atlassian told SecurityWeek that Jira Align’s SaaS and Atlassian’s wider SaaS are not connected and that an attacker could not, in fact, access any information on the locked-down Jira Align AWS environment.
The company has provided the following statement:
“These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted Cloud offering had either vulnerability exploited.
The server-side request forgery (SSRF) vulnerability is a known vulnerability and a patch was released mitigating the issue on June 9th. Our Security Intelligence team also verified that no customers that use Jira Align on an Atlassian hosted Cloud offering had this vulnerability exploited. Details can be found in the hotfix public release notes here: Hotfix Notes for 10.107.4.2.
For the insufficient authorization controls vulnerability, we released a patch on July 22nd and our Security Intelligence team also verified that the vulnerability was not exploited for any customers that use Jira Align on Atlassian hosted Cloud offering.
As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”
Related: Critical Flaws in Abode Home Security Kit Allow Hackers to Hijack, Disable Cameras
Related: Oracle Releases 370 New Security Patches With October 2022 CPU
Related: Cisco Patches High-Severity Vulnerability in Security Solutions