Atlassian and Splunk on Tuesday announced patches for more than two dozen vulnerabilities across their product portfolios, including multiple high-severity flaws in third-party components.
Atlassian released fixes for 10 high-severity vulnerabilities in Bamboo Data Center and Server, Bitbucket Data Center and Server, and Confluence Data Center and Server, all rated high-severity and affecting third-party dependencies.
Bamboo Data Center and Server received patches for five bugs in Apache Commons Compress, AWS SDK for Java, Bouncy Castle Java Cryptography APIs, Apache Tomcat, and Connect2id Nimbus JOSE+JWT components.
Bitbucket Data Center and Server was updated with fixes for flaws in Hazelcast, the Micromatch package, and Spring framework, while the Confluence Data Center and Server update addresses the Apache Commons Compress and Hazelcast issues, along with defects in the Minimatch package and JSON5 library.
Atlassian makes no mention of any of these vulnerabilities being exploited against its products, but users are advised to update their instances as soon as possible. Additional information can be found in the company’s security bulletin.
Splunk on Tuesday published seven security advisories dealing with more than 15 vulnerabilities in its products and third-party dependencies, including a high-severity bug in Secure Gateway app.
Tracked as CVE-2024-53247 (CVSS score of 8.8), the high-severity flaw is described as a deserialization of untrusted data issue that could allow low-privileged users to execute arbitrary code remotely. The flaw exists due to the insecure usage of the Jsonpickle Python library.
Splunk Enterprise versions 9.3.2, 9.2.4, and 9.1.7 were released with patches for this vulnerability, for a medium-severity information disclosure that also affects the Secure Gateway component, and for over a dozen high- and medium-severity bugs in 12 third-party dependencies in Splunk Enterprise.
Splunk also released fixes for two medium- and one low-severity flaw affecting the Dashboards, Search, and Web components of Splunk Enterprise and Splunk Cloud Platform, and announced that Universal Forwarder is not affected by CVE-2024-5535, a low-severity defect in OpenSSL.
Splunk makes no mention of any of these issues being exploited in the wild. Additional information can be found on the company’s security advisories page.
Related: Ivanti Patches Critical Flaws in Connect Secure, Cloud Services Application
Related: Critical Vulnerability Discovered in SailPoint IdentityIQ
Related: Splunk Patches Several Flaws in Enterprise, Light Products
Related: Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances
