• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 10.109.2
• Affects Version/s: 10.107.4
• Component/s: None
• Labels:

  • advisory
  • advisory-released
  • dont-import
  • security
  • 🔢✅

[JIRAALIGN-4326] Jira Align - SSRF in ManageJiraConnectors API - CVE-2022-36802

Security Metrics Bot made changes - 21/Aug/2022 8:28 PM

CVE ID

New: CVE-2022-36802

Prerana Shenoy made changes - 15/Aug/2022 6:16 PM

Description

Original: There was a *Server-Side Request Forgery* vulnerability in Jira Align via the ManageJiraConnectors API. An attacker with permission to specify an AWS metadata endpoint in a user-supplied parameter is able to exploit this issue to return the AWS credentials of the service account that deployed the instance of Jira Align. The affected versions are before version 10.109.2. *Affected versions:*  * version < 10.109.2 *Fixed versions:*  * 10.109.2

New: The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request. ++ This vulnerability was reported by Jacob Shafer from Bishop Fox. *Affected versions:*  * version < 10.109.2 *Fixed versions:*  * 10.109.2

Prerana Shenoy made changes - 15/Aug/2022 6:14 PM

Summary

Original: Jira Align - SSRF in ManageJiraConnectors API

New: Jira Align - SSRF in ManageJiraConnectors API - CVE-2022-36802

Prerana Shenoy made changes - 15/Aug/2022 6:13 PM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Prerana Shenoy made changes - 15/Aug/2022 6:13 PM

Labels

Original: advisory advisory-to-release dont-import security 🔢✅

New: advisory advisory-released dont-import security 🔢✅

Prerana Shenoy made changes - 12/Aug/2022 7:21 PM

Summary

Original: An Atlassian product has a security vulnerability.

New: Jira Align - SSRF in ManageJiraConnectors API

Prerana Shenoy made changes - 12/Aug/2022 6:05 PM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Align. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent. The affected versions are before version 10.109.2. *Affected versions:*  * version < 10.109.2 *Fixed versions:*  * 10.109.2

New: There was a *Server-Side Request Forgery* vulnerability in Jira Align via the ManageJiraConnectors API. An attacker with permission to specify an AWS metadata endpoint in a user-supplied parameter is able to exploit this issue to return the AWS credentials of the service account that deployed the instance of Jira Align. The affected versions are before version 10.109.2. *Affected versions:*  * version < 10.109.2 *Fixed versions:*  * 10.109.2

Security Metrics Bot made changes - 09/Aug/2022 1:46 PM

Labels

Original: advisory advisory-to-release dont-import security

New: advisory advisory-to-release dont-import security 🔢✅

Security Metrics Bot made changes - 08/Aug/2022 9:27 PM

Labels

New: advisory advisory-to-release dont-import security

Security Metrics Bot created issue - 08/Aug/2022 9:27 PM