Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian Patches Vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd

Atlassian’s September 2024 monthly security bulletin details multiple high-severity vulnerabilities in four products.

Atlassian on Wednesday announced patches for multiple high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, and Crowd.

A total of four bugs were addressed in these products, all four allowing attackers to cause denial-of-service (DoS) conditions, Atlassian’s September 2024 security bulletin reveals.

The company updated Bamboo Data Center and Server to address CVE-2024-34750, a security defect in Coyote, a connector component of Apache Tomcat.

“When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed,” a NIST advisory reads.

The issue can be targeted by unauthenticated attackers to “expose assets in your environment susceptible to exploitation” with no user interaction required, Atlassian says.

Bitbucket Data Center and Server received patches for both the Tomcat Coyote flaw and for CVE-2024-32007, an improper input validation bug in Apache CXF JOSE code, which could allow an attacker to cause a DoS condition by specifying a large value for the p2c parameter in a token.

Two vulnerabilities were addressed with the latest Confluence Data Center and Server updates, one affecting the Bouncy Castle Java dependency (CVE-2024-29857) and another in Clojure (CVE-2024-22871).

A patch for the Bouncy Castle Java flaw was included in the latest Crowd Data Center and Server security update as well.

Advertisement. Scroll to continue reading.

According to Atlassian, all security defects were reported via its bug bounty program. None of these issues has an impact on confidentiality or integrity.

Atlassian makes no mention of any of these issues being exploited in the wild but urges users to update their installations to the latest version of each application or to a fixed version as soon as possible.

Related: Atlassian Patches Vulnerabilities in Bamboo, Confluence, Crowd, Jira

Related: SolarWinds Patches Critical Vulnerability in Access Rights Manager

Related: Many Media Industry Vendors Slow to Patch Critical Vulnerabilities: Study

Related: Cloud Services Providers Introduce Trusted Cloud Principles

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.