December 6, 2023 at 04:54AM
Atlassian patched four critical vulnerabilities in its software, addressing remote code execution risks. CVEs 2022-1471, 2023-22522, 2023-22523, and 2023-22524, with CVSS scores up to 9.8, affect various products including Confluence and Jira. Prior critical flaw in Bamboo also mentioned. Urgent updates recommended.
Meeting Takeaways from Dec 06, 2023 – Software Security / Vulnerability Report:
1. Atlassian has patched four critical vulnerabilities in its software that could lead to remote code execution if exploited.
2. Details of the vulnerabilities are as follows:
– CVE-2022-1471: Deserialization vulnerability in the SnakeYAML library, CVSS score 9.8, affects multiple products.
– CVE-2023-22522: RCE in Confluence Data Center and Confluence Server, CVSS score 9.0, affects versions from 4.0.0 onwards.
– CVE-2023-22523: RCE in Assets Discovery for Jira Service Management, CVSS score 9.8, affects all versions up to but not including specified patched versions.
– CVE-2023-22524: RCE in Atlassian Companion app for macOS, CVSS score 9.6, affects all versions up to but not including 2.0.0.
3. CVE-2023-22522 allows code execution via template injection due to unsafe user input on a Confluence page.
4. The Assets Discovery flaw permits privileged RCE on machines with the Assets Discovery agent.
5. CVE-2023-22524 allows code execution by exploiting WebSockets to circumvent Atlassian Companion’s blocklist and macOS Gatekeeper.
6. Previous critical security flaw CVE-2023-46604 (CVSS score 10.0) in Apache ActiveMQ, affecting Bamboo Data Center and Server, was reported by Atlassian and has been patched in newer versions.
7. Due to increasing attacks on Atlassian products, users are strongly encouraged to update their software to the latest patched versions promptly.
Please update systems and inform relevant teams about these vulnerabilities and necessary actions. Follow @Atlassian on Twitter and LinkedIn for further updates.