September 19, 2024 at 08:36AM
Atlassian addressed multiple high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, and Crowd with patches. The vulnerabilities allowed attackers to cause denial-of-service conditions. The patches address security defects in various components and dependencies, with the company urging users to update their installations as soon as possible. None of these issues have been reported as being exploited in the wild.
From the meeting notes, we can gather that Atlassian has recently announced patches for multiple high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, and Crowd. A total of four bugs were addressed, all of which allowed attackers to cause a denial-of-service (DoS) condition.
Specifically, four vulnerabilities were addressed:
1. Bamboo Data Center and Server were updated to address CVE-2024-34750, a security defect in Coyote, a connector component of Apache Tomcat. This issue could be exploited by unauthenticated attackers to expose assets in the environment susceptible to exploitation.
2. Bitbucket Data Center and Server received patches for the Tomcat Coyote flaw and for CVE-2024-32007, an improper input validation bug in Apache CXF JOSE code, which could allow an attacker to cause a DoS condition.
3. Two vulnerabilities were addressed with the latest Confluence Data Center and Server updates, one affecting the Bouncy Castle Java dependency (CVE-2024-29857) and another in Clojure (CVE-2024-22871).
4. A patch for the Bouncy Castle Java flaw was also included in the latest Crowd Data Center and Server security update.
Importantly, Atlassian has reported that none of these issues has an impact on confidentiality or integrity. Although there is no mention of these issues being exploited in the wild, users are urged to update their installations to the latest version of each application or to a fixed version as soon as possible.
Additionally, it’s worth noting that all security defects were reported via Atlassian’s bug bounty program.