Atlassian has recently released a series of security updates to address several high-severity vulnerabilities in its Bamboo, Confluence, and Jira products. These updates are crucial for maintaining the security and integrity of these widely-used software solutions.
Key Vulnerabilities in Bamboo
The most urgent updates pertain to Bamboo Data Center and Server, where two high-severity vulnerabilities have been resolved. The first, tracked as CVE-2024-22262, is a server-side request forgery (SSRF) vulnerability caused by a flaw in the UriComponentsBuilder dependency. This bug affects Bamboo versions 9.0.0 through 9.6.0 and has been addressed in versions 9.6.3 LTS and 9.2.14 LTS. This vulnerability has a CVSS v2 score of 9.4 and a CVSS v3 score of 8.1, indicating high severity.
The second issue, CVE-2024-21687, is a file inclusion vulnerability that allows an authenticated attacker to display the contents of a local file or execute a different file already stored on the server. This vulnerability, which also affects Bamboo versions 9.0.0 through 9.6.0, was fixed in Bamboo Data Center and Server versions 9.6.4 LTS and 9.2.16 LTS. The CVE-2024-21687 has a high impact on confidentiality and integrity but no impact on availability. It has a CVSS v2 score of 8.5 and a CVSS v3 score of 8.1.
Updates in Confluence
Atlassian has also addressed several high-severity vulnerabilities in Confluence Data Center and Confluence Server. Notably, five denial-of-service (DoS) flaws were found in the Apache Commons Compress dependency. Although the vulnerable version of this library exists in Confluence, it is not actively used, which reduces the immediate risk. However, updates were made to ensure future upgrades incorporate newer, safer versions of the library. These fixes were implemented in Confluence Data Center versions 8.9.4, 8.5.12 LTS, 7.19.25 LTS, and Confluence Server versions 8.5.12 LTS and 7.19.25 LTS. Additionally, a stored cross-site scripting (XSS) vulnerability was patched, which could allow an authenticated attacker to execute arbitrary HTML or JavaScript in a victim’s browser.
Jira Vulnerabilities
Jira Software Data Center and Server, along with Jira Service Management Data Center and Server, received updates to fix a high-severity vulnerability in the XStream dependency, tracked as CVE-2022-41966. This vulnerability could be exploited to cause a denial-of-service condition. The fixes were included in Jira Software Data Center and Server versions 9.8.0, 9.12.0 LTS, and 9.4.18 LTS, and Jira Service Management Data Center and Server versions 5.8.0, 5.12.0 LTS, and 5.4.18 LTS.
Detailed CVE Information
One of the most critical vulnerabilities addressed is CVE-2024-22262. This SSRF vulnerability involves the UriComponentsBuilder used to parse externally provided URLs, which could lead to an SSRF attack if the URL is used post-validation. Detailed information and references for this CVE can be found on platforms like SecurityWeek and Spring.io. Another significant vulnerability, CVE-2024-21687, is a file inclusion flaw that allows an authenticated attacker to display the contents of a local file or execute a different file already stored on the server. This vulnerability has a high impact on confidentiality and integrity but no impact on availability. Further details and references for this CVE can be found on Atlassian JIRA, Atlassian Confluence, and the NVD.
Conclusion
Atlassian’s recent updates address critical vulnerabilities across Bamboo, Confluence, and Jira, ensuring that these popular tools are protected against potential exploits. Users are strongly encouraged to apply these patches promptly to mitigate the risk of unauthorized access, data breaches, and service disruptions. For further details on these updates, please refer to the official Atlassian release notes and security advisories.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
