Atlassian Addresses High-Severity Vulnerabilities in Confluence, Crucible, and Jira

Atlassian Security Patches

Atlassian, a leading software company, recently released critical security updates to address vulnerabilities in their popular products: Confluence, Crucible, and Jira.

Let’s explore into the details:

Confluence Data Center and Server Update:

The update resolves six security defects related to various dependencies.

  • Most Severe Flaw (CVE-2024-22257): A broken access control issue in the Spring Framework could allow unauthenticated attackers to expose sensitive assets.
  • SSRF Vulnerabilities (CVE-2024-22243, CVE-2024-22262, CVE-2024-22259): These server-side request forgery vulnerabilities affect the URL parsing functionality in Spring Framework.
  • Out-of-Bounds Write Bugs: Patches address two out-of-bounds write bugs in Apache Commons Configuration, which could lead to denial-of-service (DoS) attacks.
  • Affected Versions: Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).

Crucible Data Center and Server Update:

Crucible versions 4.8.0 and below suffer from a deserialization vulnerability in the com.google.code.gson:gson package. Unauthenticated attackers could easily exploit this flaw to cause a DoS condition.

Crucible Data Center and Server versions 4.8.15 and higher address this issue.

Jira Data Center and Server Updates:

  • Information Disclosure Vulnerability (CVE-2024-21685): Jira versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS) now resolve this defect.
  • Jira Service Management: The same vulnerability is fixed in Jira Service Management versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).

Important Note: Atlassian’s June 2024 Security Bulletin does not report any active exploitation of these vulnerabilities.

Stay vigilant and apply these updates promptly to secure your systems!

You may also like:

Related Posts

Leave a Reply