Atlassian Issues Patches for High-Risk Vulnerabilities in Multiple Products

September 21, 2023

Atlassian, a leading provider of team collaboration and productivity software, has recently rolled out patches to address four high-risk vulnerabilities in its flagship products - Jira, Confluence, Bitbucket, and Bamboo.

The most critical vulnerability, identified as CVE-2023-22513 with a CVSS score of 8.5, is a remote code execution (RCE) bug that resides in Bitbucket. This bug could potentially compromise confidentiality, integrity, and availability. According to Atlassian, 'An authenticated attacker can exploit the flaw without user interaction'. This vulnerability was first introduced in Bitbucket version 8.0.0 and affects most versions until 8.14.0. Atlassian has addressed this issue in Bitbucket versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, and newer.

CVE-2023-22512, with a CVSS score of 7.5, is a denial-of-service (DoS) vulnerability that affects the Confluence Data Center and Server products. Atlassian states that an unauthenticated attacker can exploit this vulnerability to deny access to resources, 'by temporarily or indefinitely disrupting services of a vulnerable host connected to a network'. This flaw was first seen in Confluence version 5.6 and affects up to version 8.5.0. It has been addressed in Confluence versions 7.19.14 and 8.5.1.

The third vulnerability, CVE-2023-28709 (CVSS score of 7.5), is a third-party dependency issue residing in Apache Tomcat. An attacker could exploit this to 'expose assets in your environment susceptible to exploitation', as per Atlassian. The flaw was due to an incomplete fix for another vulnerability, CVE-2023-24998, as explained in a NIST advisory. This bug was first introduced in Bamboo version 8.1.12 and was addressed in Bamboo versions 9.2.4 and 9.3.1. Users of older versions are advised to update to a patched version.

The final vulnerability, CVE-2022-25647 (CVSS score of 7.5), is a patch management bug in Jira that could allow an attacker to expose assets for further exploitation. This flaw was first identified in Jira version 4.20.0 and has been resolved with the release of versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, and 5.11.0.

Atlassian, in its security bulletin, mentioned these '4 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month'. These vulnerabilities were discovered through their Bug Bounty program, pen-testing processes, and third-party library scans. Atlassian did not mention any reports of these vulnerabilities being exploited in malicious attacks.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.