HomeVulnerabilityAtlassian patches important distant code execution vulnerabilities in a number of merchandise

Atlassian patches important distant code execution vulnerabilities in a number of merchandise

Atlassian has launched pressing patches for a number of of its merchandise to repair distant code execution and denial-of-service vulnerabilities. Flaws in Atlassian merchandise have been exploited by hackers earlier than, together with shortly after a patch was launched and even earlier than a repair was out there.

In October, Atlassian launched an emergency repair for a damaged entry management situation (CVE-2023-22515) affecting on-premises variations of Confluence Server and Confluence Data that allowed unauthenticated attackers to create administrator accounts. The vulnerability was already being exploited within the wild as a zero-day when the corporate launched the patch.

In early November, attackers began exploiting one other important improper authorization vulnerability (CVE-2023-22518) in Confluence Data Heart and Server only some days after the patch was launched. Older Confluence flaws that had been exploited as zero-days or n-days by a number of teams of attackers embrace CVE-2022-26134, CVE-2021-26084, and CVE-2019-3396. Clients are due to this fact urged to use the newly launched December patches as quickly as doable.

See also  Hacker promoting Dell staff’ information after a second alleged data breach

Confluence template injection and deserialization flaws

One of many important vulnerabilities patched final week permits nameless authenticated attackers to inject unsafe code into pages on affected situations of Confluence Data Heart and Confluence Server. Atlassian catalogs this flaw (CVE-2023-22522) as a template injection situation and warns that it could possibly result in distant code execution on the server.

The flaw impacts all variations of Confluence Data Heart and Server beginning with 4.0.0 in addition to standalone variations of Confluence Data Heart 8.6.0 and eight.6.1. Most of the affected variations have reached end-of-life and are not supported. The corporate advises customers of Confluence Server to improve to model 7.19.17 (LTS), 8.4.5 or 8.5.4 (LTS) and Confluence Data Heart customers to improve to model 8.6.2 or 8.7.1. The vulnerability has no different mitigations, however Atlassian advises clients to again up their occasion and take away it from the web if they will’t patch instantly.

See also  Phishers exploited Proofpoint weak point to spoof emails from IBM, Nike, and extra

One other important vulnerability patched final week stems from a Java deserialization situation inherited from a third-party parsing library known as SnakeYAML. This vulnerability is tracked as CVE-2022-1471 and was patched in SnakeYAML a yr in the past. Since then, three different flaws, two excessive severity and one important, have been reported in SnakeYAML.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular