Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-4281

Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

XMLWordPrintable

    • 6.5
    • Medium
    • CVE-2022-36803

      The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

      Affected versions:

      • version < 10.109.2

      Fixed versions:

      • 10.109.2

          Form Name

            [JIRAALIGN-4281] Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 6.5 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required High
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.5 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: