In its Confluence, Jira, and Bamboo products, Atlassian has patched vulnerabilities of a high severity.
To address the flaws, Atlassian quickly released patches for the affected versions (9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0).
The flaw with the highest CVSS score, CVE-2024-21687, is a file inclusion vulnerability.
Atlassian, a leading software company, has issued security updates for its Confluence, Jira, Bitbucket, and Bamboo products to address a number of high-severity vulnerabilities. Malicious actors may be able to execute arbitrary code on targeted systems thanks to these flaws. CVE-2024-21687 (File Inclusion Vulnerability), CVE-2024-22262 (SSRF Vulnerability), CVE-2024-21686 (Stored XSS Vulnerability), CVE-2021-36090 (Denial of Service Vulnerability), CVE-2024-21688 (Dependency Vulnerability), and CVE-2022-41966 (Denial of Service Vulnerability) are among the vulnerabilities that have been fixed by this update
Third-party library scans, Atlassian’s Bug Bounty program, and penetration testing procedures were used to find these flaws. They are applicable to product versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0. CVE-2024-21687, the most severe of these vulnerabilities, has a CVSS score of 8.1 out of 10. Data theft, unauthorized access, and compromised networks could all result from these flaws.
Over a dozen vulnerabilities in the bundled Java Development Kit were also fixed in the updates, but they did not affect the.zip/.tar.gz distribution. The 7.0.1 versions of the Confluence Data Center and Server contained these flaws. A patch for a stored cross-site scripting (XSS) issue that permitted the execution of arbitrary code in browsers is one of the additional corrections.
Mitigation Measures Atlassian advises users to upgrade to the most recent versions of their installations. Additionally, users are urged to check the Vulnerability Disclosure Portal to see if the new vulnerabilities affect the versions of their products. Users are urged to apply the patched updates as soon as possible despite the fact that there has been no public disclosure of these flaws being exploited in the wild.
In accordance with Atlassian’s security best practices, users should also examine and verify that instances are correctly configured. Users should consider workarounds for systems that cannot be updated immediately while increasing their vigilance for suspicious activity involving Atlassian products.