Atlassian, a leading software company, recently released critical security updates to address vulnerabilities in their popular products: Confluence, Crucible, and Jira.
Let’s explore into the details:
Confluence Data Center and Server Update:
The update resolves six security defects related to various dependencies.
- Most Severe Flaw (CVE-2024-22257): A broken access control issue in the Spring Framework could allow unauthenticated attackers to expose sensitive assets.
- SSRF Vulnerabilities (CVE-2024-22243, CVE-2024-22262, CVE-2024-22259): These server-side request forgery vulnerabilities affect the URL parsing functionality in Spring Framework.
- Out-of-Bounds Write Bugs: Patches address two out-of-bounds write bugs in Apache Commons Configuration, which could lead to denial-of-service (DoS) attacks.
- Affected Versions: Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).
Crucible Data Center and Server Update:
Crucible versions 4.8.0 and below suffer from a deserialization vulnerability in the com.google.code.gson:gson package. Unauthenticated attackers could easily exploit this flaw to cause a DoS condition.
Crucible Data Center and Server versions 4.8.15 and higher address this issue.
Jira Data Center and Server Updates:
- Information Disclosure Vulnerability (CVE-2024-21685): Jira versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS) now resolve this defect.
- Jira Service Management: The same vulnerability is fixed in Jira Service Management versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).
Important Note: Atlassian’s June 2024 Security Bulletin does not report any active exploitation of these vulnerabilities.
Stay vigilant and apply these updates promptly to secure your systems!
