Enterprise software-as-a-service (SaaS) for the planning of development lifecycles, Jira Align helps software companies connect teams to the business, unlike Jira, which connects teams to each other.
Bishop Fox researchers have identified two high-severity security defects in Jira Align and warn that an attack exploiting both could have a critical impact not only on Jira Align, but on Atlassian infrastructure as well.
The first of the bugs is described as a server-side request forgery (SSRF) flaw in the application’s ‘Connectors’ settings. An attacker could exploit this vulnerability to “retrieve the AWS credentials of the Atlassian service account that provisioned the Jira Align instance,” Bishop Fox explains.
The second issue is described as insufficient authorization controls in the ‘People’ permission, allowing any user that has this permission to modify their role and become Super Admin, the highest role in Jira Align.
