CVE-2022-36802 - Vulnerability Details - OpenCVE

The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00363.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Atlassian	Jira Align

Configuration 1 [-]

cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-39502	The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://jira.atlassian.com/browse/JIRAALIGN-4326

History

Wed, 02 Oct 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2022-10-14T03:45:14.385390Z

Updated: 2024-10-29T15:19:34.058Z

Reserved: 2022-07-26T00:00:00

Link: CVE-2022-36802

Vulnrichment

Updated: 2024-08-03T10:14:28.397Z

NVD

Status : Modified

Published: 2022-10-14T04:15:13.703

Modified: 2024-11-21T07:13:48.147

Link: CVE-2022-36802

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-36802", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "datePublished": "2022-10-14T03:45:14.385390Z", "dateUpdated": "2024-10-29T15:19:34.058Z", "dateReserved": "2022-07-26T00:00:00"}, "containers": {"cna": {"datePublic": "2022-08-12T00:00:00", "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2022-10-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."}], "affected": [{"vendor": "Atlassian", "product": "Jira Align", "versions": [{"version": "unspecified", "lessThan": "10.109.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Server-Side Request Forgery"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:14:28.397Z"}, "title": "CVE Program Container", "references": [{"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-02T14:14:10.164355Z", "id": "CVE-2022-36802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T15:19:34.058Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:14:28.397Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-36802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-02T14:14:10.164355Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T14:14:14.767Z"}}], "cna": {"affected": [{"vendor": "Atlassian", "product": "Jira Align", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "10.109.2", "versionType": "custom"}]}], "datePublic": "2022-08-12T00:00:00", "references": [{"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"}], "descriptions": [{"lang": "en", "value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Server-Side Request Forgery"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2022-10-14T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2022-36802", "state": "PUBLISHED", "dateUpdated": "2024-10-29T15:19:34.058Z", "dateReserved": "2022-07-26T00:00:00", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2022-10-14T03:45:14.385390Z", "assignerShortName": "atlassian"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6AD57B7-5D67-467B-8366-78F6973D85B0", "versionEndExcluding": "10.109.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."}, {"lang": "es", "value": "La API ManageJiraConnectors en Atlassian Jira Align versiones anteriores a 10.109.2, permite a atacantes remotos explotar este problema para acceder a recursos de red internos por medio de un ataque de tipo Server-Side Request Forgery. Esto puede ser explotado por un atacante remoto, no autenticado, con privilegios de Super Admin, mediante el env\u00edo de una petici\u00f3n HTTP especialmente dise\u00f1ada"}], "id": "CVE-2022-36802", "lastModified": "2024-11-21T07:13:48.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-10-14T04:15:13.703", "references": [{"source": "security@atlassian.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}