Vulnerabilities addressed recently in Jira Align could allow an attacker to elevate privileges, obtain Atlassian cloud credentials, and potentially go after Atlassian infrastructure, researchers with Bishop Fox warn.
Vulnerabilities addressed recently in Jira Align could allow an attacker to elevate privileges, obtain Atlassian cloud credentials, and potentially go after Atlassian infrastructure, researchers with Bishop Fox warn.
Enterprise software-as-a-service (SaaS) for the planning of development lifecycles, Jira Align helps software companies connect teams to the business, unlike Jira, which connects teams to each other.
Bishop Fox researchers have identified two high-severity security defects in Jira Align and warn that an attack exploiting both could have a critical impact not only on Jira Align, but on Atlassian infrastructure as well.
The first of the bugs is described as a server-side request forgery (SSRF) flaw in the application’s ‘Connectors’ settings. An attacker could exploit this vulnerability to “retrieve the AWS credentials of the Atlassian service account that provisioned the Jira Align instance,” Bishop Fox explains.
The second issue is described as insufficient authorization controls in the ‘People’ permission, allowing any user that has this permission to modify their role and become Super Admin, the highest role in Jira Align.
Having Super Admin privileges, a malicious attacker could access all data in Jira Align, change user or account settings, and alter the security control for the application.
Bishop Fox told SecurityWeek that an attacker with low-level user access could exploit the second vulnerability to become Super Admin and then leverage the SSRF to obtain Atlassian cloud credentials.
“If the Atlassian AWS environment was not properly locked down, that attacker would have been able to go after Atlassian infrastructure due to the fact that the credentials are not specific to the client, but for the Atlassian SaaS,” Bishop Fox said.
In this worst-case scenario, the attacker’s actions could represent a risk for multiple Atlassian clients that are connected to the infrastructure.
Tracked as CVE-2022-36802 and CVE-2022-36803, both vulnerabilities could be exploited remotely. The bugs were addressed in July with the release of Jira Align 10.109.3.
By Ionut Arghire on Tue, 25 Oct 2022 10:37:31 +0000
Original link