Security researchers at Bishop Fox reported two vulnerabilities in Jira Align that allowed users to access the administrator area to attack Atlassian’s services. As per the report, the vulnerabilities existed within the software company’s cloud development platform and could put other cloud apps at risk.
In an advisory released on October 25, the security organization stated the vulnerabilities and how they could affect the Jira Align application. Since Atlassian provides every Jira Align instance, the chances of a hacker taking over a portion of the business’ cloud infrastructure increase significantly.
Atlassian vulnerabilities explained
According to the report, the two vulnerabilities could currently harm the platform’s cloud apps. The first vulnerability is the server-side request forgery (SSRF), which allows users to retrieve AWS credentials for Atlassian service accounts. The second vulnerability exists within the authorization mechanism for users (people role), which the user could exploit to gain administrator control over the Jira Align tenant — including, but not limited to, modifying files, changing roles, resetting accounts, and more.
Jake Shafer, the security consultant at Bishop Fox who reported the vulnerability, elaborated on how the amalgamation of the two discovered flaws could lead to a “significant attack”. “Using the authorization finding would allow a low-privileged user to elevate their role to super admin, which, in terms of information disclosure, would allow the attacker to gain access to everything the client of the SaaS had in their Jira deployment,” he said in the report. Adding, “From there, the attacker could then leverage the SSRF finding to go after the infrastructure of Atlassian themselves.
After the vulnerability was found, the company released a new security patch within a week, and the second patch was released within a month. Sources claim that the probability of attackers targeting cloud services is increasing exponentially. Every corporation should implement a quick mitigation technique to protect its resources and customers from falling victim to these attacks.
SSRF is a relatively new vulnerability that exploits a cloud service’s capabilities and servers to conduct attacks, frequently evading protection at the network edge and some internal security controls. Additionally, it is challenging for automated techniques to identify permission concerns.
Although Atlassian is not alone, its Jira software has already had to cope with numerous instances of server-side request forgery. A previous user of Amazon Web Services used an SSRF vulnerability in 2019 to steal information from the banking institution Capital One.