Business software maker Atlassian this week announced updates that address critical-severity remote code execution (RCE) vulnerabilities in Confluence and other products.
The Confluence flaw, tracked as CVE-2023-22522 and affecting Confluence Data Center and Server, is described as a template injection bug that can be exploited by an attacker with low-level permissions to inject “unsafe user input into a Confluence page”.
“Using this approach, an attacker is able to achieve RCE on an affected instance,” the software maker notes in its advisory.
Atlassian, which rates the vulnerability with a CVSS score of 9.0, notes that an attacker needs to be authenticated, even as an anonymous user, to exploit the issue.
All Confluence Data Center and Server versions above and including 4.0.0 are affected by this security defect. Atlassian Cloud sites are not affected.
The issue has been addressed in Confluence Data Center and Server versions 7.19.17 (LTS), 8.4.5, and 8.5.4 (LTS), and Confluence Data Center 8.6.2 and 8.7.1. Confluence customers are advised to update to a fixed release as soon as possible.
Another bug, CVE-2023-22524, affects the Companion App for MacOS, an optional desktop application that can be used for editing files on Confluence.
“An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code,” Atlassian explains.
The company rates the vulnerability with a CVSS score of 9.6 and notes that all Companion App for MacOS iterations prior to version 2.0.0 are vulnerable. Customers are advised to update to version 2.0.0.
This week, Atlassian also announced patches for CVE-2023-22523, an RCE defect in Assets Discovery, a stand-alone network scanning tool for Jira that can be used with or without an agent.
According to Atlassian, which rates the flaw with a CVSS score of 9.8, only systems with the Assets Discovery agent installed are vulnerable, because the bug exists between the Assets Discovery application and the agent. Uninstalling the Assets Discovery agents removes the vulnerability.
The company also announced patches for CVE-2022-1471 (CVSS score of 9.8), an RCE issue in the SnakeYAML library, which is used in multiple Atlassian products, including Bitbucket, Confluence, and Jira.
Atlassian has released patches for all affected applications and urges customers to update to fixed releases, as there are no mitigations for this vulnerability.
Additional information on the resolved security defects can be found on Atlassian’s security advisories page. The company makes no mention of any of these vulnerabilities being exploited in malicious attacks.