• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 10.109.2
• Affects Version/s: 10.107.4
• Component/s: None
• Labels:

  • advisory
  • advisory-released
  • dont-import
  • security
  • 🔢✅

[JIRAALIGN-4281] Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

Security Metrics Bot made changes - 16/Oct/2022 8:28 PM

CVE ID

New: CVE-2022-36803

David Black made changes - 14/Oct/2022 3:40 AM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Prerana Shenoy made changes - 15/Aug/2022 6:20 PM

Description

Original: The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

New: The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. *Affected versions:*  * version < 10.109.2 *Fixed versions:*  * 10.109.2

Prerana Shenoy made changes - 15/Aug/2022 6:20 PM

Summary

Original: An Atlassian product has a security vulnerability.

New: Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

Prerana Shenoy made changes - 15/Aug/2022 6:19 PM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Align. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

Prerana Shenoy made changes - 15/Aug/2022 6:16 PM

Labels

Original: advisory advisory-to-release dont-import security 🔢✅

New: advisory advisory-released dont-import security 🔢✅

Security Metrics Bot made changes - 16/Jul/2022 1:46 PM

Labels

Original: advisory advisory-to-release dont-import security

New: advisory advisory-to-release dont-import security 🔢✅

Collapse comment: Security Metrics Bot added a comment - 16/Jul/2022 1:46 PM

Security Metrics Bot added a comment - 16/Jul/2022 1:46 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 6.5 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Expand comment: Security Metrics Bot added a comment - 16/Jul/2022 1:46 PM

Security Metrics Bot added a comment - 16/Jul/2022 1:46 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.5 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Security Metrics Bot made changes - 15/Jul/2022 8:57 PM

Labels

New: advisory advisory-to-release dont-import security

Security Metrics Bot created issue - 15/Jul/2022 8:57 PM