SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira

Atlassian has released Confluence, Crucible, and Jira updates to address multiple high-severity vulnerabilities.
Atlassian security updates

Atlassian this week announced the release of software updates that resolve multiple high-severity vulnerabilities in Confluence, Crucible, and Jira.

The Confluence Data Center and Server update resolves a total of six security defects in various dependencies, all of which were disclosed this year.

Tracked as CVE-2024-22257, the most severe of these flaws is a broken access control issue in the Spring Framework that could allow unauthenticated attackers to expose assets they should not have access to.

Next in line are three server-side request forgery (SSRF) vulnerabilities in the URL parsing functionality of the Spring Framework, which are tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259.

The three security holes are essentially the same bug, but each can be triggered with different output, a NIST advisory for CVE-2024-22262 reads.

Atlassian also updated Confluence Data Center and Server with patches for two out-of-bounds write bugs in Apache Commons Configuration, which could allow unauthenticated attackers to cause a denial-of-service (DoS) condition by submitting a crafted configuration file or input.

Advertisement. Scroll to continue reading.

Patches for all vulnerabilities have been included in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).

Crucible Data Center and Server versions 4.8.15 and higher address a deserialization of untrusted data vulnerability in the com.google.code.gson:gson package, which could be exploited by unauthenticated attackers to cause a DoS condition. The issue impacts Crucible version 4.8.0 and below.

This week, Atlassian also announced Jira Data Center and Server and Jira Service Management Data Center and Server updates that address an information disclosure vulnerability that can be exploited without authentication.

Tracked as CVE-2024-21685, the security defect was resolved in Jira Data Center and Server versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS), and Jira Service Management Data Center and Server versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).

Atlassian’s June 2024 Security Bulletin makes no mention of any of these vulnerabilities being exploited in the wild.

Related: Details of Atlassian Confluence RCE Vulnerability Disclosed

Related: Linux Malware Campaign Targets Misconfigured Cloud Servers

Related: Cloudflare Hacked by Suspected State-Sponsored Threat Actor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

MongoDB has appointed Doug Bowers as Chief Information Security Officer.

Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.

Cato Networks has appointed Meital Koren as Chief Legal Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.