Atlassian this week announced patches for four high-severity vulnerabilities impacting its Jira, Confluence, Bitbucket, and Bamboo products.
Tracked as CVE-2023-22513 (CVSS score of 8.5), the most severe of these issues is described as a remote code execution (RCE) bug in Bitbucket that could impact confidentiality, integrity, and availability. An authenticated attacker can exploit the flaw without user interaction, Atlassian explains.
The issue was introduced in Bitbucket version 8.0.0 and impacts most releases until version 8.14.0. Bitbucket versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, and newer address this vulnerability.
The second bug, CVE-2023-22512 (CVSS score of 7.5), is described as a denial-of-service (DoS) issue in the Confluence Data Center and Server products.
According to Atlassian, an unauthenticated attacker can exploit this vulnerability to deny access to resources, “by temporarily or indefinitely disrupting services of a vulnerable host connected to a network”.
The bug was introduced in Confluence version 5.6 and affects the product’s releases up to and including 8.5.0. Atlassian addressed the flaw with the release of Confluence versions 7.19.14 and 8.5.1.
The third vulnerability, CVE-2023-28709 (CVSS score of 7.5), is described as a third-party dependency issue that can be exploited by an attacker to “expose assets in your environment susceptible to exploitation”, Atlassian notes.
Residing in Apache Tomcat, the flaw exists because a fix for another vulnerability, CVE-2023-24998, was incomplete, a NIST advisory explains.
Introduced in Bamboo version 8.1.12, the bug was addressed in Bamboo versions 9.2.4 and 9.3.1. Users of older versions of the product are advised to update to a patched iteration.
The updates released for Jira address CVE-2022-25647 (CVSS score of 7.5), a patch management bug that allows an attacker to expose assets for further exploitation.
The flaw was introduced in Jira version 4.20.0 and was resolved with the release of versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, and 5.11.0.
“The vulnerabilities reported in this security bulletin include 4 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. These vulnerabilities are discovered via our Bug Bounty program and pen-testing processes, as well as third party library scans,” Atlassian notes.
The company makes no mention of any of these vulnerabilities being exploited in malicious attacks.