Atlassian’s monthly security roll-up includes a patch for a critical SQL injection vulnerability in its Bamboo data centre and server products.
The critical vulnerability is CVE-2024-1597, in the PostgreSQL JBDC driver. It only affects PostgreSQL if PreferQueryMode is set to “simple”, which is not the configuration Atlassian uses.
Bamboo data centre and server also inherit CVE-2024-21634, a denial-of-service bug in Amazon’s Ion, a Java implementation of the Ion data notation.`
The bugs affect all versions of Bamboo data centre and server prior to 8.2.0, and are fixed in 9.6.0 or 9.5.2 (for data centre), 9.4.4, and 9.2.12 (LTS).
CVE-2024-21634 also affects Atlassian’s BitBucket data centre and server, which has also been patched against the bug.
Meanwhile, Confluence data centre and server have also been patched against CVE-2024-1597, as well as CVE-2023-36478 (a denial-of-service bug).
The rest of the bugs covered in Atlasian’s advisory are high-severity bugs in Jira.
Most are denial-of-service vulnerabilities, but there are three remote code execution bugs: CVE-2022-34169, an integer truncation bug in the Apache Xalan Java XSLT library; and a pair of bugs in Batik, part of Apache XML graphics – CVE-2022-42890, and CVE-2022-41704.