On July 18th, Atlassian discovered critical and high vulnerabilities through bug bounty programs, third-party library scans, and penetration testing.
In their security bulletin, they have addressed three high vulnerabilities which were detected on their confluence data center, server, and bamboo center.
Atlassian has confirmed that these vulnerabilities were fixed in their new version of products.
Summary of the Vulnerabilities
CVE-2023-22505
This High severity RCE was discovered by bug bounty, which affects version 8.0.0 of Confluence Data Center & Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8, allows an authenticated attacker to execute arbitrary code.
This has a high impact on CIA(confidentiality, integrity, and availability) and no user interaction.
Recommendation:
Atlassian recommends that you upgrade your instance to the latest version.
If you’re unable to upgrade to the latest, upgrade to one of these fixed versions: 8.3.2, 8.4.0.
CVE-2023-22508
This High severity RCE vulnerability is also reported via bug bounty which affects version 7.4.0 of Confluence Data Center & Server.
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has a high impact on confidentiality, high impact on integrity, high impact on availability, and no user interaction.
Recommendation:
Atlassian recommends its users upgrade instances to the latest version. If not, upgrade to version: 8.2.0.
CVE-2023-22506
This High severity Injection and RCE were discovered through an internal pentesting program.
This Injection and RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.5, affects version 8.0.0 of Bamboo Data Center.
This allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code.
Recommendation:
Atlassian recommended upgrading the instance to the latest version or upgrading to one of these fixed versions: 9.2.3 and 9.3.1.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.