March 20, 2024 at 10:51AM
Atlassian patched 24 vulnerabilities in products including Bamboo, Bitbucket, Confluence, and Jira. The critical-severity bug (CVE-2024-1597) impacts org.postgresql:postgresql, could allow unauthenticated attackers to exploit assets, and affects Bamboo Data Center and Server versions 8.2.1 to 9.5.0. Atlassian also released security updates for Confluence and Jira. Users are advised to update their instances.
From the meeting notes, the following key takeaways can be summarized:
– Atlassian has released patches addressing two dozen vulnerabilities in their products, including critical-severity bugs that could be exploited without user interaction.
– One of the critical-severity vulnerabilities, tracked as CVE-2024-1597 with a CVSS score of 10, is an SQL injection issue that impacts the org.postgresql:postgresql third-party dependency of Bamboo Data Center and Server.
– The SQL injection issue “could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction”.
– The vulnerability affects specific versions of Bamboo Data Center and Server, and Atlassian has released updated versions to address this issue.
– Another high-severity flaw leading to denial-of-service (DoS) was also patched in Bitbucket Data Center and Server.
– Atlassian also announced patches for a high-severity path traversal in Confluence Data Center and Server and a high-severity DoS bug in a third-party dependency of the product. Specific versions of Confluence resolve both issues.
– Jira Software Data Center and Server security updates released address 20 high-severity vulnerabilities, including those leading to DoS, remote code execution (RCE), and server-side request forgery (SSRF).
– Users are advised to update their instances to the latest version of the affected products, and Atlassian mentioned that none of these vulnerabilities have been exploited in the wild.
For additional information, refer to Atlassian’s March 2024 security bulletin.