Atlassian last Friday announced fixes for three remote code execution (RCE) vulnerabilities.
The three bugs are rated as high rather than critical severity, since they’re exploitable only by authenticated users.
CVE-2023-22505, discovered in the company’s bug bounty program, has a CVSS score of 8, and was introduced in version 8.0.0 of Confluence data centre and server products.
It’s an RCE that allows an attacker to execute arbitrary code without user interaction.
Users are advised to upgrade their instance to the latest version. If they cannot, they can upgrade to 8.3.2 or 8.4.0 which includes the fix.
CVE-2023-22508 is another RCE that has the same impact as CVE-2023-22505, introduced in Confluence data centre and server 7.4.0, and was also reported through Atlassian’s bug bounty.
Users who can’t upgrade to the latest version can use version 8.2.0, which includes the fix.
Finally, there’s CVE-2023-22506, an RCE in Bamboo discovered in private pentesting.
This RCE was introduced in Bamboo data centre 8.0.0: “Atlassian recommends that you upgrade your instance to latest version. If you’re unable to upgrade to latest, upgrade to one of these fixed versions: 9.2.3 and 9.3.1,” the advisory stated.
The company’s advisories noted that Atlassian recently increased the scope of its disclosures: “previously we focused on disclosing first party, critical severity vulnerabilities via critical advisories.”
It has now decided that lower-rated vulnerabilities should also be disclosed, but added that “it does not mean there are more vulnerabilities.”
“Rather, we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products,” the company said.