Lucene search

Security-metrics-botJIRAALIGN-4281

HistoryJul 15, 2022 - 8:57 p.m.

Jira Align - Improper Authorization in MasterUserEdit API - CVE-2022-36803

2022-07-1520:57:28

security-metrics-bot

jira.atlassian.com

jira align

improper authorization

masteruseredit

cve-2022-36803

atlassian

authentication

people role

super admin

vulnerability

jacob shafer

bishop fox

affected versions

fixed versions

software

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.1%

JSON

The MasterUserEdit API in Atlassian Jira Align before version 10.109.2 allows an authenticated attacker with the People role permission can use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

Affected versions:

version < 10.109.2

Fixed versions:

10.109.2

Affected configurations

Vulners

Node

atlassianjira_alignRange≤10.107.4

atlassianjira_alignRange<10.109.2

VendorProductVersionCPE
atlassianjira_align*cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	jira_align	*	cpe:2.3:a:atlassian:jira_align::::::::

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

50.1%

JSON

Related for JIRAALIGN-4281