Atlassian, a leading provider of team collaboration and productivity software, has recently rolled out patches to address four high-risk vulnerabilities in its flagship products - Jira, Confluence, Bitbucket, and Bamboo.
The most critical vulnerability, identified as CVE-2023-22513 with a CVSS score of 8.5, is a remote code execution (RCE) bug that resides in Bitbucket. This bug could potentially compromise confidentiality, integrity, and availability. According to Atlassian, 'An authenticated attacker can exploit the flaw without user interaction'. This vulnerability was first introduced in Bitbucket version 8.0.0 and affects most versions until 8.14.0. Atlassian has addressed this issue in Bitbucket versions 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0, and newer.
CVE-2023-22512, with a CVSS score of 7.5, is a denial-of-service (DoS) vulnerability that affects the Confluence Data Center and Server products. Atlassian states that an unauthenticated attacker can exploit this vulnerability to deny access to resources, 'by temporarily or indefinitely disrupting services of a vulnerable host connected to a network'. This flaw was first seen in Confluence version 5.6 and affects up to version 8.5.0. It has been addressed in Confluence versions 7.19.14 and 8.5.1.
The third vulnerability, CVE-2023-28709 (CVSS score of 7.5), is a third-party dependency issue residing in Apache Tomcat. An attacker could exploit this to 'expose assets in your environment susceptible to exploitation', as per Atlassian. The flaw was due to an incomplete fix for another vulnerability, CVE-2023-24998, as explained in a NIST advisory. This bug was first introduced in Bamboo version 8.1.12 and was addressed in Bamboo versions 9.2.4 and 9.3.1. Users of older versions are advised to update to a patched version.
The final vulnerability, CVE-2022-25647 (CVSS score of 7.5), is a patch management bug in Jira that could allow an attacker to expose assets for further exploitation. This flaw was first identified in Jira version 4.20.0 and has been resolved with the release of versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, and 5.11.0.
Atlassian, in its security bulletin, mentioned these '4 high-severity vulnerabilities which have been fixed in new versions of our products, released in the last month'. These vulnerabilities were discovered through their Bug Bounty program, pen-testing processes, and third-party library scans. Atlassian did not mention any reports of these vulnerabilities being exploited in malicious attacks.