Atlassian has launched patches for greater than two dozen security flaws, together with a essential bug impacting Bamboo Data Middle and Server that might be exploited with out requiring consumer interplay.
Tracked as CVE-2024-1597, the vulnerability carries a CVSS rating of 10.0, indicating most severity.
Described as an SQL injection flaw, it is rooted in a dependency referred to as org.postgresql:postgresql, on account of which the corporate mentioned it “presents a decrease assessed danger” regardless of the criticality.
“This org.postgresql:postgresql dependency vulnerability […] might permit an unauthenticated attacker to reveal belongings in your atmosphere inclined to exploitation which has excessive influence to confidentiality, excessive influence to integrity, excessive influence to availability, and requires no consumer interplay,” Atlassian mentioned.
In keeping with an outline of the flaw within the NIST’s Nationwide Vulnerability Database (NVD), “pgjdbc, the PostgreSQL JDBC Driver, permits attacker to inject SQL if utilizing PreferQueryMode=SIMPLE.” The driving force variations previous to those listed beneath are impacted –
- 42.7.2
- 42.6.1
- 42.5.5
- 42.4.4
- 42.3.9, and
- 42.2.28 (additionally mounted in 42.2.28.jre7)
“SQL injection is feasible when utilizing the non-default connection property preferQueryMode=easy together with software code that has a susceptible SQL that negates a parameter worth,” the maintainters mentioned in an advisory final month.
“There is no such thing as a vulnerability within the driver when utilizing the default question mode. Customers that don’t override the question mode usually are not impacted.”
The Atlassian vulnerability is claimed to have been launched within the following variations of Bamboo Data Middle and Server –
- 8.2.1
- 9.0.0
- 9.1.0
- 9.2.1
- 9.3.0
- 9.4.0, and
- 9.5.0
The corporate additionally emphasised that Bamboo and different Atlassian Data Middle merchandise are unaffected by CVE-2024-1597 as they don’t use the PreferQueryMode=SIMPLE of their SQL database connection settings.
SonarSource security researcher Paul Gerste has been credited with discovering and reporting the flaw. Customers are suggested to replace their cases to the newest model to guard in opposition to any potential threats.
