Atlassian has released updates to address three security flaws affecting our Confluence Server, Data Center and Bamboo Data Center products. Successful exploitation could lead to remote code execution on the vulnerable system.
The list of defects is as follows –
- CVE-2023-22505 (CVSS Score: 8.0) – RCE (Remote Code Execution) in Confluence data centers and servers (fixed in versions 8.3.2 and 8.4.0)
- CVE-2023-22508 (CVSS score: 8.5) – RCE (Remote Code Execution) in Confluence Data Center and Servers (fixed in versions 7.19.8 and 8.2.0)
- CVE-2023-22506 (CVSS score: 7.5) – Bamboo Injection, RCE (Remote Code Execution) (fixed in versions 9.2.3 and 9.3.1)
CVE-2023-22505 and CVE-2023-22508 allow authenticated attackers to “execute arbitrary code with significant impact on confidentiality, integrity, and availability, and without user interaction,” the company said.
The bug was first introduced in version 8.0.0, while CVE-2023-22508 was introduced in version 7.4.0 of the software.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
According to Atlassian, CVE-2023-22506, introduced in Bamboo Data Center version 8.0.0, allows “authenticated attackers to modify the actions taken by system calls to execute arbitrary code with significant impact on confidentiality, integrity and availability, and without user interaction.”
Earlier this January, an Australian company shipped a patch that addressed critical security flaws in Jira Service Management Server and Data Center. This flaw could be exploited by an attacker to gain unauthorized access to a vulnerable instance by impersonating another user (CVE-2023-22501, CVSS score: 9.4).
A few weeks later, we also published fixes for two critical Git overflow flaws (CVE-2022-41903 and CVE-2022-23531) affecting Bitbucket Server and Data Center, Bamboo Server and Data Center, Fisheye, Crucible, and Sourcetree.
Security vulnerabilities in Atlassian servers have been the target of attacks in recent years, and users are encouraged to patch them promptly to protect against potential threats.
