Connect with us

Hi, what are you looking for?



Atlassian Patches Critical Remote Code Execution Vulnerabilities

Atlassian has released patches for critical-severity remote code execution flaws in Confluence and other products.

Business software maker Atlassian this week announced updates that address critical-severity remote code execution (RCE) vulnerabilities in Confluence and other products.

The Confluence flaw, tracked as CVE-2023-22522 and affecting Confluence Data Center and Server, is described as a template injection bug that can be exploited by an attacker with low-level permissions to inject “unsafe user input into a Confluence page”.

“Using this approach, an attacker is able to achieve RCE on an affected instance,” the software maker notes in its advisory.

Atlassian, which rates the vulnerability with a CVSS score of 9.0, notes that an attacker needs to be authenticated, even as an anonymous user, to exploit the issue.

All Confluence Data Center and Server versions above and including 4.0.0 are affected by this security defect. Atlassian Cloud sites are not affected.

The issue has been addressed in Confluence Data Center and Server versions 7.19.17 (LTS), 8.4.5, and 8.5.4 (LTS), and Confluence Data Center 8.6.2 and 8.7.1. Confluence customers are advised to update to a fixed release as soon as possible.

Another bug, CVE-2023-22524, affects the Companion App for MacOS, an optional desktop application that can be used for editing files on Confluence.

“An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code,” Atlassian explains.

Advertisement. Scroll to continue reading.

The company rates the vulnerability with a CVSS score of 9.6 and notes that all Companion App for MacOS iterations prior to version 2.0.0 are vulnerable. Customers are advised to update to version 2.0.0.

This week, Atlassian also announced patches for CVE-2023-22523, an RCE defect in Assets Discovery, a stand-alone network scanning tool for Jira that can be used with or without an agent.

According to Atlassian, which rates the flaw with a CVSS score of 9.8, only systems with the Assets Discovery agent installed are vulnerable, because the bug exists between the Assets Discovery application and the agent. Uninstalling the Assets Discovery agents removes the vulnerability.

The company also announced patches for CVE-2022-1471 (CVSS score of 9.8), an RCE issue in the SnakeYAML library, which is used in multiple Atlassian products, including Bitbucket, Confluence, and Jira.

Atlassian has released patches for all affected applications and urges customers to update to fixed releases, as there are no mitigations for this vulnerability.

Additional information on the resolved security defects can be found on Atlassian’s security advisories page. The company makes no mention of any of these vulnerabilities being exploited in malicious attacks.

Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw

Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Related: Atlassian Security Updates Patch High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.