BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira

Atlassian has released Confluence, Crucible, and Jira updates to address multiple high-severity vulnerabilities.

Atlassian security updates

Atlassian this week announced the release of software updates that resolve multiple high-severity vulnerabilities in Confluence, Crucible, and Jira.

The Confluence Data Center and Server update resolves a total of six security defects in various dependencies, all of which were disclosed this year.

Tracked as CVE-2024-22257, the most severe of these flaws is a broken access control issue in the Spring Framework that could allow unauthenticated attackers to expose assets they should not have access to.

Next in line are three server-side request forgery (SSRF) vulnerabilities in the URL parsing functionality of the Spring Framework, which are tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259.

The three security holes are essentially the same bug, but each can be triggered with different output, a NIST advisory for CVE-2024-22262 reads.

Atlassian also updated Confluence Data Center and Server with patches for two out-of-bounds write bugs in Apache Commons Configuration, which could allow unauthenticated attackers to cause a denial-of-service (DoS) condition by submitting a crafted configuration file or input.

Patches for all vulnerabilities have been included in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).

Crucible Data Center and Server versions 4.8.15 and higher address a deserialization of untrusted data vulnerability in the com.google.code.gson:gson package, which could be exploited by unauthenticated attackers to cause a DoS condition. The issue impacts Crucible version 4.8.0 and below.

Advertisement. Scroll to continue reading.

This week, Atlassian also announced Jira Data Center and Server and Jira Service Management Data Center and Server updates that address an information disclosure vulnerability that can be exploited without authentication.

Tracked as CVE-2024-21685, the security defect was resolved in Jira Data Center and Server versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS), and Jira Service Management Data Center and Server versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).

Atlassian’s June 2024 Security Bulletin makes no mention of any of these vulnerabilities being exploited in the wild.

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Linux Malware Campaign Targets Misconfigured Cloud Servers

Related: Cloudflare Hacked by Suspected State-Sponsored Threat Actor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights