Atlassian on Tuesday announced patches for two dozen vulnerabilities in Bamboo, Bitbucket, Confluence, and Jira products, including a critical-severity bug that could be exploited without user interaction.
Tracked as CVE-2024-1597 (CVSS score of 10) and described as an SQL injection issue, the critical-severity flaw impacts the org.postgresql:postgresql third-party dependency of Bamboo Data Center and Server.
According to Atlassian, the issue “could allow an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction”.
The vulnerability affects Bamboo Data Center and Server versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, and 9.5.0, and was addressed with the release of versions 9.6.0 (LTS), 9.5.2, 9.4.4, and 9.2.12 (LTS), which also address a high-severity flaw leading to denial-of-service (DoS).
Tracked as CVE-2024-21634 (CVSS Score of 7.5) and impacting a third-party component, the DoS vulnerability was also patched in Bitbucket Data Center and Server.
On Tuesday, Atlassian also announced patches for a high-severity path traversal in Confluence Data Center and Server and a high-severity DoS bug in a third-party dependency of the product. Confluence versions 8.8.1, 8.5.7 LTS, and 7.19.20 LTS resolve both issues.
Jira Software Data Center and Server security updates released on Tuesday address 20 high-severity vulnerabilities, including 16 leading to DoS, three leading to remote code execution (RCE), and one server-side request forgery (SSRF) bug.
Impacting various third-party dependencies and exploitable without authentication, the security defects were patched in Jira Software Data Center and Server versions 9.14.1, 9.14.0, 9.12.5 LTS, and 9.4.18 LTS.
Users are advised to update their instances to the latest version of the affected products. Atlassian makes no mention of any of these vulnerabilities being exploited in the wild.
Additional information can be found in Atlassian’s March 2024 security bulletin.
Related: Atlassian Warns of Critical RCE Vulnerability in Outdated Confluence Instances
Related: Atlassian Patches Critical Remote Code Execution Vulnerabilities
Related: Atlassian Issues Second Warning on Potential Exploitation of Critical Confluence Flaw