Atlassian has released updates to address three security vulnerabilities affecting its Confluence Server, Data Center and Bamboo Data Center products that, if successfully exploited, could allow remote code execution on vulnerable systems.
The list of defects is given below –
- CVE-2023-22505 (CVSS score: 8.0) – RCE (remote code execution) in Confluence data centers and servers (fixed in versions 8.3.2 and 8.4.0)
- CVE-2023-22508 (CVSS score: 8.5) – RCE (remote code execution) in Confluence data centers and servers (fixed in versions 7.19.8 and 8.2.0)
- CVE-2023-22506 (CVSS score: 7.5) – Injection in Bamboo, RCE (remote code execution) (fixed in versions 9.2.3 and 9.3.1)
The company said, CVE-2023-22505 and CVE-2023-22508 allow an authenticated attacker to execute arbitrary code, which has a high impact on privacy, high impact on integrity, high impact on availability and no user interaction.
While the first bug was introduced in version 8.0.0, CVE-2023-22508 was introduced in version 7.4.0 of the software.
According to Atlassian, CVE-2023-22506, introduced in version 8.0.0 of Bamboo Data Center, allows an “authenticated attacker to modify functions performed by system calls and execute arbitrary code, which has a high impact on privacy, high impact on integrity, high impact on availability and no user interaction.”
Earlier this January, the Australian company shipped patches to resolve a critical security flaw in Jira Service Management servers and data centers that could be used by an attacker to impersonate another user and gain unauthorized access to vulnerable instances (CVE-2023-22501, CVSS score: 9.4).
Weeks later, it also fixed two critical overflow flaws in Git (CVE-2022-41903 and CVE-2022-23531) affecting Bitbucket Server and Data Center, Bamboo Server and Data Center, Fisheye, Crucible and SourceTree.
Security vulnerabilities in Atlassian servers have become the focus of attacks in recent years, so it is recommended that users move quickly to apply patches to avoid potential threats.