CVE-2022-36803Incorrect Default Permissions in Atlassian Jira Align

CWE-276Incorrect Default Permissions3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 43.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Atlassian Jira Align
Timeline
PublishedOct 14

Description

The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5atlassian/jira_alignunspecified10.109.2
NVDatlassian/jira_align< 10.109.2

🔴Vulnerability Details

2
CVEList
CVE-2022-36803: The MasterUserEdit API in Atlassian Jira Align Server before version 102022-10-14
GHSA
GHSA-7hpj-mxfh-5j9j: The MasterUserEdit API in Atlassian Jira Align Server before version 102022-10-14
CVE-2022-36803 — Incorrect Default Permissions | cvebase