This week, Atlassian released fixes for four high-severity flaws that had the potential to cause a DoS and remote code execution and affected several of its products.
The issues in its primary products, Jira, Confluence, Bitbucket, and Bamboo, have been fixed. Atlassian found these vulnerabilities using its Bug Bounty program, pen-testing processes, and third-party library scans.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Four High-Severity Flaws Addressed
- CVE-2022-25647 (CVSS score: 7.5) – Patch Management Flaw
This patch management bug in Jira could allow an attacker to expose assets for further exploitation. It may lead to DoS attacks.
Introduced in Jira version 4.20.0
Upgrade to a minimum fix version of 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0 or latest
- CVE-2023-22512 (CVSS score: 7.5) – DoS (Denial of Service) Flaw
A DoS flaw in Confluence Data Center and Server. According to Atlassian, an unauthenticated attacker might exploit this vulnerability to block access to resources by temporarily or indefinitely disrupting the services of a vulnerable host connected to a network.
Version 5.6 and impacts release up to 8.6.0.
Upgrade to a minimum fix version of 7.19.13, 7.19.14, 8.5.1, 8.6.0 or latest
- CVE-2023-22513 (CVSS score: 8.5) – RCE (Remote Code Execution) Flaw
An RCE flaw in the Bitbucket Data Center and Server.
“This RCE (Remote Code Execution) vulnerability, allows an authenticated attacker to execute arbitrary code which has a high impact on confidentiality, high impact on integrity, high impact on availability, and requires no user interaction”, Atlassian said.
Version 8.0.0 and impacts most releases until version 8.14.0.
Upgrade to a minimum fix version of 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0 or latest
- CVE-2023-28709 (CVSS score: 7.5) – DoS Flaw
A DoS flaw in the Apache Tomcat server impacted the Bamboo Data Center and Server. It is described as a third-party dependency problem that can be exploited by an attacker to “expose assets in your environment susceptible to exploitation.”
Version 8.1.12, the bug was addressed in Bamboo versions 9.2.4 and 9.3.1.
Upgrade to a minimum fix version of 9.2.4, 9.3.1, or the latest.
Atlassian recommends upgrading to the latest fixed versions released.