Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse

2 years ago 218
BOOK THIS SPACE FOR AD
ARTICLE AD

Lateral or upwards movement beyond the instance was theoretically possible, concludes researcher

Jira Align flaws enabled malicious users to gain super admin privileges - and potentially worse

A pair of vulnerabilities patched in Jira Align could in the “worst-case scenario” be combined by low-privileged malicious users to target Atlassian’s cloud infrastructure, a security researcher warns.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application, in the cloud.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance.

MisAligned permissions

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.

Catch up with the latest cloud security news

“While, for good reason, my testing stopped at the edge of the Atlassian infrastructure, under the right conditions [leveraging the SSRF] potentially means gaining access to other client data through lateral or upward movement through Atlassian’s AWS infrastructure.

“Since Atlassian’s providing cloud tenants to these clients, gaining access to the infrastructure of the SaaS provider itself is pretty much worst-case scenario.”

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

People permissions

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix version 10.108.3.5 on June 28.

The Daily Swig has invited Atlassian to comment. We will update the article if they do so.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Read Entire Article