A pair of vulnerabilities patched in Jira Align could in the “worst-case scenario” be combined by low-privileged malicious users to target Atlassian’s cloud infrastructure, a security researcher warns.
Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application, in the cloud.
A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).
Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance.
MisAligned permissions
Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.
Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.
“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.
“While, for good reason, my testing stopped at the edge of the Atlassian infrastructure, under the right conditions [leveraging the SSRF] potentially means gaining access to other client data through lateral or upward movement through Atlassian’s AWS infrastructure.
“Since Atlassian’s providing cloud tenants to these clients, gaining access to the infrastructure of the SaaS provider itself is pretty much worst-case scenario.”
The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.
People permissions
The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.
This could either be done by “intercepting the role change request directly to the API and modifying the cmbRoleID parameter to 9”, or by performing an API call with a POST request containing their session cookies.
The SSRF resides in the Jira Align ManageJiraConnectors API, which manages external connections.
A user-supplied URL value called txtAPIURL points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.
The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix version 10.108.3.5 on June 28.
The Daily Swig has invited Atlassian to comment. We will update the article if they do so.
Copyright 2021 Associated Press. All rights reserved.
