June 20, 2024 at 06:58AM
Atlassian released software updates addressing high-severity vulnerabilities in Confluence, Crucible, and Jira. The Confluence update resolves six security defects, including broken access control and server-side request forgery flaws. Crucible versions 4.8.15 and higher address a deserialization vulnerability, while Jira updates fix an information disclosure issue. No known exploitation of these vulnerabilities has been reported.
From the meeting notes, it is clear that Atlassian has released software updates addressing multiple high-severity vulnerabilities in their Confluence, Crucible, and Jira products. The updates include fixes for security defects in various dependencies, such as broken access control issues in the Spring Framework, server-side request forgery vulnerabilities, out-of-bounds write bugs in Apache Commons Configuration, and deserialization of untrusted data vulnerability in the com.google.code.gson:gson package. These vulnerabilities could potentially lead to unauthorized data exposure, denial-of-service (DoS) conditions, and information disclosure. The patches for these vulnerabilities have been included in specific versions of Confluence Data Center and Server, Crucible Data Center and Server, Jira Data Center and Server, and Jira Service Management Data Center and Server. It’s important to note that Atlassian’s June 2024 Security Bulletin did not mention any of these vulnerabilities being exploited in the wild.