Atlassian on Wednesday announced patches for multiple high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, and Crowd.
A total of four bugs were addressed in these products, all four allowing attackers to cause denial-of-service (DoS) conditions, Atlassian’s September 2024 security bulletin reveals.
The company updated Bamboo Data Center and Server to address CVE-2024-34750, a security defect in Coyote, a connector component of Apache Tomcat.
“When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed,” a NIST advisory reads.
The issue can be targeted by unauthenticated attackers to “expose assets in your environment susceptible to exploitation” with no user interaction required, Atlassian says.
Bitbucket Data Center and Server received patches for both the Tomcat Coyote flaw and for CVE-2024-32007, an improper input validation bug in Apache CXF JOSE code, which could allow an attacker to cause a DoS condition by specifying a large value for the p2c parameter in a token.
Two vulnerabilities were addressed with the latest Confluence Data Center and Server updates, one affecting the Bouncy Castle Java dependency (CVE-2024-29857) and another in Clojure (CVE-2024-22871).
A patch for the Bouncy Castle Java flaw was included in the latest Crowd Data Center and Server security update as well.
According to Atlassian, all security defects were reported via its bug bounty program. None of these issues has an impact on confidentiality or integrity.
Atlassian makes no mention of any of these issues being exploited in the wild but urges users to update their installations to the latest version of each application or to a fixed version as soon as possible.
Related: Atlassian Patches Vulnerabilities in Bamboo, Confluence, Crowd, Jira
Related: SolarWinds Patches Critical Vulnerability in Access Rights Manager
Related: Many Media Industry Vendors Slow to Patch Critical Vulnerabilities: Study
Related: Cloud Services Providers Introduce Trusted Cloud Principles