Atlassian this week introduced patches for 4 high-severity vulnerabilities impacting its Jira, Confluence, Bitbucket, and Bamboo merchandise.
Tracked as CVE-2023-22513 (CVSS rating of 8.5), essentially the most extreme of those points is described as a distant code execution (RCE) bug in Bitbucket that would impression confidentiality, integrity, and availability. An authenticated attacker can exploit the flaw with out person interplay, Atlassian explains.
The difficulty was launched in Bitbucket model 8.0.0 and impacts most releases till model 8.14.0. Bitbucket variations 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, and newer deal with this vulnerability.
The second bug, CVE-2023-22512 (CVSS rating of seven.5), is described as a denial-of-service (DoS) challenge within the Confluence Data Middle and Server merchandise.
In line with Atlassian, an unauthenticated attacker can exploit this vulnerability to disclaim entry to assets, “by briefly or indefinitely disrupting providers of a susceptible host linked to a community”.
The bug was launched in Confluence model 5.6 and impacts the product’s releases as much as and together with 8.5.0. Atlassian addressed the flaw with the discharge of Confluence variations 7.19.14 and eight.5.1.
The third vulnerability, CVE-2023-28709 (CVSS rating of seven.5), is described as a third-party dependency challenge that may be exploited by an attacker to “expose belongings in your surroundings inclined to exploitation”, Atlassian notes.
Residing in Apache Tomcat, the flaw exists as a result of a repair for an additional vulnerability, CVE-2023-24998, was incomplete, a NIST advisory explains.
Launched in Bamboo model 8.1.12, the bug was addressed in Bamboo variations 9.2.4 and 9.3.1. Customers of older variations of the product are suggested to replace to a patched iteration.
The updates launched for Jira deal with CVE-2022-25647 (CVSS rating of seven.5), a patch administration bug that permits an attacker to reveal belongings for additional exploitation.
The flaw was launched in Jira model 4.20.0 and was resolved with the discharge of variations 4.20.25, 5.4.9, 5.9.2, 5.10.1, and 5.11.0.
“The vulnerabilities reported on this security bulletin embody 4 high-severity vulnerabilities which have been mounted in new variations of our merchandise, launched within the final month. These vulnerabilities are found through our Bug Bounty program and pen-testing processes, in addition to third get together library scans,” Atlassian notes.
The corporate makes no point out of any of those vulnerabilities being exploited in malicious assaults.