Executive Summary
Atlassian has recently addressed four critical vulnerabilities in its software, posing a significant risk of remote code execution if exploited. The vulnerabilities are summarised below.
Organisations using affected Atlassian products should review the security advisories and promptly take the necessary actions.
CVE-2022-1471
This is a deserialization vulnerability in the SnakeYAML library, with a CVSS score of 9.8. It affects Jira, Bitbucket, and Confluence, and could potentially lead to remote code execution.
To learn how to address or temporarily mitigate it in detail, please refer to Atlassian’s security advisory.
CVE-2023-22523
This flaw in Jira Assets Discovery enables privileged remote code execution on machines with the Assets Discovery agent installed. It has a CVSS score of 9.8.
To learn how to address or temporarily mitigate it in detail, please refer to Atlassian’s security advisory.
CVE-2023-22524
This is a remote code execution vulnerability in the Confluence Atlassian Companion app for macOS with a CVSS score of 9.6. It allows code execution by bypassing WebSockets and macOS Gatekeeper protections.
To learn how to address or temporarily mitigate it in detail, please refer to Atlassian’s security advisory.
CVE-2023-22522
This is a template injection flaw in Confluence Data Center and Server with a CVSS score of 9.0. It allows authenticated attackers, including those with anonymous access, to inject unsafe input into Confluence pages, leading to code execution.
To learn how to address or temporarily mitigate it in detail, please refer to Atlassian’s security advisory.
Call for Action
We strongly recommend that organisations using affected Atlassian products apply the fixes or, if not possible, implement temporary mitigations as soon as possible.
On the other hand, Bamboo servers were among the products impacted by the ActiveMQ exploits and Atlassian released a patch in early November. You can find more information about the patch here. To conclude, Atlassian products are increasingly targeted by attackers. Hence, we strongly advise immediate updates to patched versions.
- CISA Exploited Vulnerabilities Catalog Lists Fortinet and Ivanti Flaws
- [CVSS 9+] CISA Releases Six Advisories for Industrial Control Systems
- Counterfeit LastPass App Discovered on Apple App Store
- MongoDB Security Breach: Customer Data Exposed
- Report Criticizes Microsoft: Security Missteps in Chinese Cyberattack
- AI Innovations Enhance Red Teaming Strategies