Atlassian patches vulnerabilities in server, data centre products

By

Also broadens scope of vulnerability disclosures.

Atlassian last Friday announced fixes for three remote code execution (RCE) vulnerabilities.

Atlassian patches vulnerabilities in server, data centre products

The three bugs are rated as high rather than critical severity, since they’re exploitable only by authenticated users.

CVE-2023-22505, discovered in the company’s bug bounty program, has a CVSS score of 8, and was introduced in version 8.0.0 of Confluence data centre and server products.

It’s an RCE that allows an attacker to execute arbitrary code without user interaction. 

Users are advised to upgrade their instance to the latest version. If they cannot, they can upgrade to 8.3.2 or 8.4.0 which includes the fix.

CVE-2023-22508 is another RCE that has the same impact as CVE-2023-22505, introduced in Confluence data centre and server 7.4.0, and was also reported through Atlassian’s bug bounty.

Users who can’t upgrade to the latest version can use version 8.2.0, which includes the fix.

Finally, there’s CVE-2023-22506, an RCE in Bamboo discovered in private pentesting.

This RCE was introduced in Bamboo data centre 8.0.0: “Atlassian recommends that you upgrade your instance to latest version. If you're unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1,” the advisory stated.

The company’s advisories noted that Atlassian recently increased the scope of its disclosures: “previously we focused on disclosing first party, critical severity vulnerabilities via critical advisories.”

It has now decided that lower-rated vulnerabilities should also be disclosed, but added that “it does not mean there are more vulnerabilities."

"Rather, we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products," the company said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Log In

  |  Forgot your password?