Vulnerabilities addressed recently in Jira Align could allow an attacker to elevate privileges, obtain Atlassian cloud credentials, and potentially go after Atlassian infrastructure, researchers with Bishop Fox warn.
Enterprise software-as-a-service (SaaS) for the planning of development lifecycles, Jira Align helps software companies connect teams to the business, unlike Jira, which connects teams to each other.
Bishop Fox researchers have identified two high-severity security defects in Jira Align and warn that an attack exploiting both could have a critical impact not only on Jira Align, but on Atlassian infrastructure as well.
The first of the bugs is described as a server-side request forgery (SSRF) flaw in the application’s ‘Connectors’ settings. An attacker could exploit this vulnerability to “retrieve the AWS credentials of the Atlassian service account that provisioned the Jira Align instance,” Bishop Fox explains.
The second issue is described as insufficient authorization controls in the ‘People’ permission, allowing any user that has this permission to modify their role and become Super Admin, the highest role in Jira Align.
Having Super Admin privileges, a malicious attacker could access all data in Jira Align, change user or account settings, and alter the security control for the application.
Bishop Fox told SecurityWeek that an attacker with low-level user access could exploit the second vulnerability to become Super Admin and then leverage the SSRF to obtain Atlassian cloud credentials.
“If the Atlassian AWS environment was not properly locked down, that attacker would have been able to go after Atlassian infrastructure due to the fact that the credentials are not specific to the client, but for the Atlassian SaaS,” Bishop Fox said.
In this worst-case scenario, the attacker’s actions could represent a risk for multiple Atlassian clients that are connected to the infrastructure.
Tracked as CVE-2022-36802 and CVE-2022-36803, both vulnerabilities could be exploited remotely. The bugs were addressed in July with the release of Jira Align 10.109.3.
UPDATE: On October 26, Atlassian told SecurityWeek that Jira Align’s SaaS and Atlassian’s wider SaaS are not connected and that an attacker could not, in fact, access any information on the locked-down Jira Align AWS environment.
The company has provided the following statement:
“These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted Cloud offering had either vulnerability exploited.
The server-side request forgery (SSRF) vulnerability is a known vulnerability and a patch was released mitigating the issue on June 9th. Our Security Intelligence team also verified that no customers that use Jira Align on an Atlassian hosted Cloud offering had this vulnerability exploited. Details can be found in the hotfix public release notes here: Hotfix Notes for 10.107.4.2.
For the insufficient authorization controls vulnerability, we released a patch on July 22nd and our Security Intelligence team also verified that the vulnerability was not exploited for any customers that use Jira Align on Atlassian hosted Cloud offering.
As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”
Related: Critical Flaws in Abode Home Security Kit Allow Hackers to Hijack, Disable Cameras
Related: Oracle Releases 370 New Security Patches With October 2022 CPU
Related: Cisco Patches High-Severity Vulnerability in Security Solutions

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
