Two flaws in Atlassian Jira Align, a SaaS tool, allows service users to become application administrators and then attack the Atlassian service.
Bishop Fox discovered two Atlassian vulnerabilities in the Jira Align application, which is used to set agile-development goals, track progress toward those goals, and create agile strategies.
What was found?
Because Jira Align is reliant on Atlassian, the attacker has easy access to a portion of the company's cloud infrastructure.
One Atlassian vulnerability, identified as a server-side request forgery (SSRF), allows a user to retrieve the AWS credentials of the Atlassian service account that support the Jira Align instance.
The second Atlassian security vulnerability allows users to become Super Admins, giving them access to all Jira Align tenant settings, such as resetting accounts and modifying settings. The attacker could then use the SSRF vulnerability to compromise the Atlassian infrastructure.
According to a security consultant with Bishop Fox, the combination of the two flaws could allow for a significant attack. However, both Atlassian vulnerabilities were patched within a week and a month, respectively.
The SSRF vulnerability conducts attacks using the functionality and servers of a cloud service, frequently bypassing network edge security and some internal security measures.
Other instances of server-side request forgery have already been reported in Atlassian's Jira software. It's similar to what happened in 2019 when a former Amazon Web Services employee exploited an SSRF vulnerability to steal information from financial firm Capital One.
How to counter cloud security bugs?
With cloud services now being used by the vast majority of businesses, even well-established firms can make mistakes. It is critical to address the top cloud vulnerabilities.
Trust, however, do verify all new software on which the company relies.
Before completing a request, developers should always double-check the content supplied by users.
Additional input-sanitization checks may be necessary to prevent both attacks.
Manually test third-party applications or contact the cloud provider to inquire about the results of their security assessments.
The automated tools rely on a set of instructions or guidelines to determine what to look for, and dealing with authorization issues will be unique to each piece of software available.