Full Report
Each instance of Jira Align (some Atlassian product) is deployed within an AWS EC2 environment. The endpoint ManageJiraConnectors has a parameter called txtAPIURL to which the URL pointed to a Jira API location. Jira Align automatically adds /rest/api/2/ to this endpoint. However, this appending can be bypassed by adding a URL fragment (#) to the end of the URL. As a result, the attacker is in fully control of the URL being used. Now, we control the URL and path of the request being made, making this a major SSRF bug. To exploit this in an AWS environment, the AWS metadata endpoint could be specified. The Jira API URL would return the full body in the Jira Change log. Since we requested the AWS metadata endpoint, this leaks the credentials for the EC2 instance. From there, further privilege escalation could be attempted. An additional bug was discovered on the application as well. The people role permission (which is very low level) could change any user's role. This includes themselves! So, they could become a Super Admin just by changing the roles themselves. Overall, a good and short writeup explaining the vulnerabilities.
Analysis Summary
# Vulnerability: SSRF Leading to AWS Metadata Leak and Arbitrary Role Escalation in Jira Align
## CVE Details
- CVE ID: Not explicitly provided in the summary, but implies multiple vulnerabilities were found.
- CVSS Score: Severity is implied to be High due to SSRF leading to credential compromise and privilege escalation.
- CWE: CWE-918 (Server-Side Request Forgery), CWE-269 (Improper Privilege Management).
## Affected Systems
- Products: Atlassian Jira Align
- Versions: Specifically mentioned vulnerable version **10.107.4**. Patched versions released around 10.108.3.5 and 10.109.3.
- Configurations: Jira Align deployed within an AWS EC2 environment.
## Vulnerability Description
Two distinct vulnerabilities were discovered:
1. **Server-Side Request Forgery (SSRF) via `txtAPIURL`:** The `ManageJiraConnectors` endpoint uses the `txtAPIURL` parameter for a Jira API URL. Normal URL appending of `/rest/api/2/` can be bypassed by appending a URL fragment (`#`). This grants the attacker full control over the target URL. In an AWS environment, an attacker can point this URL to the local AWS Metadata Endpoint (`169.254.169.254`). The resulting request body (including leaked EC2 secrets) is then returned in the Jira Change log, leading to the compromise of AWS EC2 instance credentials.
2. **Arbitrary Role Escalation Due to Low-Level Permission Flaw:** A user with the low-level "people" role permission could forcibly change *any* user's role, including changing their own role to **Super Admin**.
## Exploitation
- Status: Proof-of-Concept (PoC) demonstrated via description (SSRF targeting metadata and role change payload example provided).
- Complexity: Low (SSRF bypass is achieved via a simple URL fragment, and role escalation seems direct).
- Attack Vector: Network (for SSRF); Authorization Bypass (for Role Escalation).
## Impact
- Confidentiality: High (Leaking of AWS EC2 instance credentials/secrets).
- Integrity: High (Ability to arbitrarily change user roles, leading to Super Admin access).
- Availability: Low/Medium (Impact is focused on access control and data exposure rather than crashing the service).
## Remediation
### Patches
- **SSRF Patch:** Vendor released hotfix version **10.108.3.5** (as of 06/28/2022).
- **General Patch:** Vendor released version **10.109.3** (as of 07/22/2022).
*Note: Users should upgrade to the latest version available, which supersedes these fixes.*
### Workarounds
- Implement network egress filtering for the Jira Align EC2 instance to prevent outbound connections to the known AWS metadata endpoint (`169.254.169.254`).
- Review and restrict permissions for users holding the "people" role until patching is complete.
## Detection
- **Indicators of Compromise:** Look for outbound HTTP/HTTPS requests initiated by the Jira Align application server targeting `169.254.169.254` or other sensitive internal IPs originating from the `ManageJiraConnectors` processing function. Monitor Jira Change logs for unexpected data entries potentially containing metadata tokens.
- **Detection Methods and Tools:** Network flow monitoring and endpoint detection tools capable of monitoring unusual HTTP requests originating from the application server process.
## References
- Vendor Advisory (Implied): Atlassian Security Advisory
- Research Source: bishopfox.com/blog/jira-align-advisory