Editor's note: Updated Oct. 26 with a statement from Atlassian's chief information security officer (see below).
Researchers on Monday found two vulnerabilities in Atlassian’s cloud-based Jira Align development environment software that the researchers said security teams should fix by updating to Version 10.109.3 or newer.
In a blog post, BishopFox researchers said the first vulnerability was a server-side request forgery (SSRF) in the "Connectors" settings that would let a user retrieve the credentials of the Amazon Web Services (AWS) of the Atlassian service account that provisioned the Jira Align instance.
The second vulnerability was an Insufficient Authorization Controls instance in the "People" permission that lets any user with this permission elevate their own role to that of Super Admin.
Jira Align, a well-known enterprise agile planning platform that connects coding work with product and program portfolio management, also lets developers connect and organize data by creating real-time reports.
Given how widely used Jira is across a range of organizations, these vulnerabilities have a potentially wide reach, said Mike Parkin, senior technical engineer at Vulcan Cyber. However, Parkin said there are some mitigating factors.
For the first vulnerability, Parkin said it’s unclear from the blog at this point whether an attacker could leverage the vulnerability to get any deeper into the Atlassian system, or whether it’s possible for an attacker who did not already have an account to execute the attack. With the second vulnerability, it appears the attacker would have to have existing credentials on the instance for them to escalate privileges.
“While it would somewhat reduce the risk from purely external threats, it would do nothing against an insider or an attacker who has garnered stolen credentials for the target system,” Parkin said. “Hopefully, Atlassian will address these issues quickly.”
Nick Rago, Field CTO at Salt Security, added that the challenge of these types of vulnerabilities is that they were not visible through the web interface of the Jira Align app. The presentation layer in the browser did have logic to restrict UI access to features, such as selecting Super Admin as a role.
“However, the underlying APIs were not hardened from an authorization standpoint to protect against this type of business logic attack at the API layer,” Rago explained. “This allows a would-be attacker a way to circumvent and bypass any UX restrictions placed upon them.”
In a statement emailed to SC Media on Oct. 26, Bala Sathiamurthy, Atlassian's chief information security officer, responded to BishopFox's blog post on the vulnerabilities:
"These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted Cloud offering had either vulnerability exploited.
"The server-side request forgery (SSRF) vulnerability is a known vulnerability and a patch was released mitigating the issue on June 9th. Our Security Intelligence team also verified that no customers that use Jira Align on an Atlassian hosted Cloud offering had this vulnerability exploited. Details can be found in the hotfix public release notes here: Hotfix Notes for 10.107.4.2. For the insufficient authorization controls vulnerability, we released a patch on July 22nd and our Security Intelligence team also verified that the vulnerability was not exploited for any customers that use Jira Align on Atlassian hosted Cloud offering.
"As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches."