Atlassian has announced the presence of three vulnerabilities in its Confluence Data Center & Server and Bamboo Data Center & Server. These vulnerabilities, identified as CVE-2023-22505, CVE-2023-22508, and CVE-2023-22506, have the potential to enable authenticated attackers to execute arbitrary code, thereby impacting confidentiality, integrity, and availability to a high degree.
The first vulnerability, CVE-2023-22505, is a high-severity Remote Code Execution (RCE) vulnerability that was discovered in version 8.0.0 of Confluence Data Center & Server. It received a CVSS score of 8 and poses a serious threat, allowing an authenticated attacker to execute arbitrary code and compromise confidentiality, integrity, and availability, all without user interaction. This vulnerability affects versions 8.0.0 up to, but not including, 8.3.2 and 8.4.0. However, versions 8.3.2 and onwards, as well as version 8.4.0 and subsequent versions, are not affected.
Following CVE-2023-22505 is another high-severity RCE vulnerability, CVE-2023-22508, first identified in version 7.4.0 of Confluence Data Center & Server. This vulnerability, with a slightly higher CVSS score of 8.5, also allows an authenticated attacker to execute arbitrary code, leading to similar risks for confidentiality, integrity, and availability, all without user interaction. Confluence Data Center & Server versions 7.19.8 up to, but not including, 8.2.0, are vulnerable to this exploit, while versions 8.2.0 and later are not affected by this specific threat.
The third vulnerability, CVE-2023-22506, affects Bamboo Data Center and is a combination of an injection vulnerability with an RCE, adding another dimension to the security challenge. Introduced in version 8.0.0 of Bamboo Data Center, this high-severity vulnerability, with a CVSS score of 7.5, allows an authenticated attacker to alter system call actions and execute arbitrary code, posing a significant threat to confidentiality, integrity, and availability, again without user interaction. Bamboo Data Center and Server versions from 8.0.0 up to, but not including 9.2.3 and 9.3.1 are affected. However, versions 9.2.3, 9.3.1, and their subsequent iterations are not affected.
The consequences of these vulnerabilities could be significant. An attacker, who successfully exploits one of these vulnerabilities, could gain full control of the affected server. This could lead to the theft of data, introduction of malware, or disruption of operations. In response, Atlassian has released patches for these serious vulnerabilities in Confluence and Bamboo. Users are strongly advised to update to the latest versions of these products as soon as possible.