Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-4281

Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

XMLWordPrintable

    • 6.5
    • Medium
    • CVE-2022-36803

      The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

      Affected versions:

      • version < 10.109.2

      Fixed versions:

      • 10.109.2

            [JIRAALIGN-4281] Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

            Security Metrics Bot made changes -
            CVE ID New: CVE-2022-36803
            David Black made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            Prerana Shenoy made changes -
            Description Original: The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox. New: The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

            *Affected versions:*
             * version < 10.109.2

            *Fixed versions:*
             * 10.109.2
            Prerana Shenoy made changes -
            Summary Original: An Atlassian product has a security vulnerability. New: Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803
            Prerana Shenoy made changes -
            Description Original:
            This vulnerability affects certain versions of Atlassian Jira Align. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.
            		 New: The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
            Prerana Shenoy made changes -
            Labels Original: advisory advisory-to-release dont-import security 🔢✅ New: advisory advisory-released dont-import security 🔢✅
            Security Metrics Bot made changes -
            Labels Original: advisory advisory-to-release dont-import security New: advisory advisory-to-release dont-import security 🔢✅
            Security Metrics Bot made changes -
            Labels New: advisory advisory-to-release dont-import security
            Security Metrics Bot created issue -

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: