Executive Summary
Today, Atlassian released a security bulletin that addresses 28 high-severity vulnerabilities in multiple products. Among them, five have a CVSS score of 8.0 or higher.
These critical vulnerabilities in Atlassian products have been fixed in the latest versions. To ensure security, it is essential to upgrade to the latest or specified supported versions for affected products. You can find more information in Atlassian’s security bulletin.
Atlassian Vulnerabilities with a CVSS Score of 8+
CVE-2020-26217
CVE-2020-26217, is high-severity org.jvnet.hudson:xstream Dependency vulnerability affecting Bamboo Data Center and Server (version 9.2.1). With a CVSS score of 8.8, it allows authenticated attackers to compromise assets, impacting confidentiality, integrity, and availability.
CVE-2018-10054
This com.h2database:h2 Dependency vulnerability, present in Bamboo Data Center and Server versions 9.1.0 to 9.4.0. Also with a CVSS score of 8.8, it permits authenticated attackers to target and exploit assets.
CVE-2024-21674
CVE-2024-21674 in Confluence Data Center and Server version 7.13.0 is a Remote Code Execution (RCE) threat, scoring 8.6 on CVSS. It allows unauthenticated attackers to exploit assets, mainly affecting confidentiality. Notably, it does not require user interaction.
CVE-2024-21672
Found in Confluence Data Center and Server version 2.1.0, CVE-2024-21672 is an RCE vulnerability with a CVSS score of 8.3. It requires user interaction for asset exploitation.
CVE-2024-21673
CVE-2024-21673, affecting Confluence Data Center and Server version 7.13.0, is an RCE threat with a CVSS score of 8.0. It enables exploitation without user interaction.
Recent Notable Confluence Vulnerabilities
Confluence had two vulnerabilities in October and November, with a maximum CVSS score of 10. Both vulnerabilities were exploited in real-world attacks. Please refer to the news articles below for more information about these Confluence vulnerabilities:
- [CVSS 10] Atlassian Flaw Reaches Max Severity Amid Increased Exploits
- [CVSS 10] China-Backed Group Exploits Atlassian Vulnerability
Also, in December, Atlassian addressed three critical Confluence vulnerabilities with CVSS scores of 9 or higher. You can find more details about the fixes here.
Closing Comments
The examples above illustrate Atlassian’s regular response to critical vulnerabilities, including recent instances of active exploitation. We strongly urge organisations using affected Confluence and Bamboo versions to update as per Atlassian’s guidelines. It is also important to remain vigilant for future security updates.
- Strengthening Security Features: Google and Microsoft’s Recent Updates
- [CVSS 8+] Google Addresses Critical Vulnerabilities in Android
- [CVSS 9+] Critical Security Fix for VMware vCenter
- Email Safety: DMARC Enforcement for Gmail and Yahoo!
- [CVSS 9+] CISA Releases Seventeen Industrial Control Systems Advisories
- UK Parliament Passes the Online Safety Bill