Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Patches Critical Vulnerability in Bamboo Data Center and Server

Atlassian releases patches for two dozen vulnerabilities, including a critical-severity bug in Bamboo Data Center and Server.

Atlassian on Tuesday announced patches for two dozen vulnerabilities in Bamboo, Bitbucket, Confluence, and Jira products, including a critical-severity bug that could be exploited without user interaction.

Tracked as CVE-2024-1597 (CVSS score of 10) and described as an SQL injection issue, the critical-severity flaw impacts the org.postgresql:postgresql third-party dependency of Bamboo Data Center and Server.

According to Atlassian, the issue “could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction”.

The vulnerability affects Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0, and was addressed with the release of versions 9.6.0 (LTS), 9.5.2, 9.4.4, and 9.2.12 (LTS), which also address a high-severity flaw leading to denial-of-service (DoS).

Tracked as CVE-2024-21634 (CVSS Score of 7.5) and impacting a third-party component, the DoS vulnerability was also patched in Bitbucket Data Center and Server.

On Tuesday, Atlassian also announced patches for a high-severity path traversal in Confluence Data Center and Server and a high-severity DoS bug in a third-party dependency of the product. Confluence versions 8.8.1, 8.5.7 LTS, and 7.19.20 LTS resolve both issues.

Advertisement. Scroll to continue reading.

Jira Software Data Center and Server security updates released on Tuesday address 20 high-severity vulnerabilities, including 16 leading to DoS, three leading to remote code execution (RCE), and one server-side request forgery (SSRF) bug.

Impacting various third-party dependencies and exploitable without authentication, the security defects were patched in Jira Software Data Center and Server versions 9.14.1, 9.14.0, 9.12.5 LTS, and 9.4.18 LTS.

Users are advised to update their instances to the latest version of the affected products. Atlassian makes no mention of any of these vulnerabilities being exploited in the wild.

Additional information can be found in Atlassian’s March 2024 security bulletin.

Related: Atlassian Warns of Critical RCE Vulnerability in Outdated Confluence Instances

Related: Atlassian Patches Critical Remote Code Execution Vulnerabilities

Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.