Atlassian Patches Critical Bamboo Server & Other 24 Flaws

A critical Bamboo Data Center and Server vulnerability has been discovered with a critical vulnerability which has been given CVE-2024-1597 and the severity was given as 10.0 (Critical).

This particular vulnerability was specifically mentioned by Atlassian that it is a non-atlassian Bamboo dependency.

“Atlassian’s application of the dependency presents a lower assessed risk, which is why we are disclosing this vulnerability in our monthly Security Bulletin instead of a Critical Security Advisory. ” reads the security bulletin from Atlassian. 

Alongside of this, there were 24 other vulnerabilities that were fixed by Atlassian in several other products such as Bitbucket Data center and server, Confluence data center and server and Jira Software Data center and server.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

The fixed vulnerabilities were related to several flaws including Denial of Service, Path Traversal, Remote Code execution and Server-side Request Forgery.

Atlassian Patches 24 Flaws

According to the reports shared with Cyber Security News, the critical vulnerability in the Bamboo Data Center and Server was associated with SQLi (SQL injection) in the org.postgresql:postgresql dependency.

This vulnerability could allow a threat actor to expose assets in the vulnerable environment without any user interaction. 

However, Atlassian has claimed that this was an “unexploitable Critical severity vulnerability” which is assessed with low risk to Atlassian.

This particular vulnerability exists in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0 of Bamboo Data Center and Server.

Affected versionsFixed versions
from 9.5.0 to 9.5.19.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only
from 9.4.0 to 9.4.39.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4
from 9.3.0 to 9.3.69.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4
from 9.2.0 to 9.2.11 (LTS)9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)
from 9.1.0 to 9.1.39.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)
from 9.0.0 to 9.0.49.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)
from 8.2.0 to 8.2.99.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)
Any earlier versions 9.6.0 (LTS) recommended Data Center Only or 9.5.2 Data Center Only or 9.4.4 or 9.2.12 (LTS)

Apart from this, there was another high severity vulnerability addressed by Atlassian which was associated with Denial of service on the Bamboo Data Center and Server.

This DoS vulnerability exists in the software.amazon.ion:ion-java and the CVE has been assigned with CVE-2024-21634 with severity as 7.8 (High).

Additional information on the security bulletin by Atlassian stated about Bitbucket Data center in which another Denial of service vulnerability was patched that had the same DoS CVE of Bamboo Data Center and Server vulnerability. 

However, the Confluence Data Center and Server product had a Path Traversal and a Denial of Service vulnerabilities that were fixed as part of this security bulletin.

The CVEs for these vulnerabilities were given as CVE-2024-21677 (8.3 – High) and CVE-2023-36478 (7.5 – High).

The Jira Software Data Center and Server was one the products that had nearly 20 vulnerabilities fixed. Among these vulnerabilities nearly, there were 

  • 3 Remote Code Execution vulnerabilities (CVE-2022-42890, CVE-2022-41704, CVE-2022-34169)
  • 1 Server-side Request Forgery vulnerability (CVE-2022-40146) and
  • 17 Denial of Service vulnerabilities.
    • CVE-2022-40150
    • CVE-2023-34455
    • CVE-2023-1436
    • CVE-2022-45685
    • CVE-2022-29546
    • CVE-2022-40149
    • CVE-2023-39410
    • CVE-2023-34454
    • CVE-2023-34453
    • CVE-2023-43642
    • CVE-2022-3509
    • CVE-2022-3171
    • CVE-2023-5072
    • CVE-2022-45688
    • CVE-2022-24839
    • CVE-2022-28366

Furthermore, the fixed versions and other information can be found in the security bulletin from Atlassian.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.