Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Atlassian, Splunk Patch High-Severity Vulnerabilities

Atlassian and Splunk on Tuesday announced patches for over two dozen vulnerabilities, including high-severity flaws.

Atlassian and Splunk on Tuesday announced patches for more than two dozen vulnerabilities across their product portfolios, including multiple high-severity flaws in third-party components.

Atlassian released fixes for 10 high-severity vulnerabilities in Bamboo Data Center and Server, Bitbucket Data Center and Server, and Confluence Data Center and Server, all rated high-severity and affecting third-party dependencies.

Bamboo Data Center and Server received patches for five bugs in Apache Commons Compress, AWS SDK for Java, Bouncy Castle Java Cryptography APIs, Apache Tomcat, and Connect2id Nimbus JOSE+JWT components.

Bitbucket Data Center and Server was updated with fixes for flaws in Hazelcast, the Micromatch package, and Spring framework, while the Confluence Data Center and Server update addresses the Apache Commons Compress and Hazelcast issues, along with defects in the Minimatch package and JSON5 library.

Atlassian makes no mention of any of these vulnerabilities being exploited against its products, but users are advised to update their instances as soon as possible. Additional information can be found in the company’s security bulletin.

Splunk on Tuesday published seven security advisories dealing with more than 15 vulnerabilities in its products and third-party dependencies, including a high-severity bug in Secure Gateway app.

Tracked as CVE-2024-53247 (CVSS score of 8.8), the high-severity flaw is described as a deserialization of untrusted data issue that could allow low-privileged users to execute arbitrary code remotely. The flaw exists due to the insecure usage of the Jsonpickle Python library.

Splunk Enterprise versions 9.3.2, 9.2.4, and 9.1.7 were released with patches for this vulnerability, for a medium-severity information disclosure that also affects the Secure Gateway component, and for over a dozen high- and medium-severity bugs in 12 third-party dependencies in Splunk Enterprise.

Advertisement. Scroll to continue reading.

Splunk also released fixes for two medium- and one low-severity flaw affecting the Dashboards, Search, and Web components of Splunk Enterprise and Splunk Cloud Platform, and announced that Universal Forwarder is not affected by CVE-2024-5535, a low-severity defect in OpenSSL.

Splunk makes no mention of any of these issues being exploited in the wild. Additional information can be found on the company’s security advisories page.

Related: Ivanti Patches Critical Flaws in Connect Secure, Cloud Services Application

Related: Critical Vulnerability Discovered in SailPoint IdentityIQ

Related: Splunk Patches Several Flaws in Enterprise, Light Products

Related: Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.