Headline
CVE-2022-36803
The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
Related news
Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse
Lateral or upwards movement beyond the instance was theoretically possible, concludes researcher
Jira Align flaws enabled malicious users to gain super admin privileges
Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings