The Hacker NewsTHN:D6F147E0A260B049E5D2CA1F5DFF2F85Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.968 High
EPSS
Percentile
99.6%
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution.
The list of vulnerabilities is below -
- CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products
- CVE-2023-22522 (CVSS score: 9.0) - Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0)
- CVE-2023-22523 (CVSS score: 9.8) - Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server)
- CVE-2023-22524 (CVSS score: 9.6) - Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0)
Atlassian described CVE-2023-22522 as a template injection flaw that allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page, resulting in code execution.
The Assets Discovery flaw allows an attacker to perform privileged remote code execution on machines with the Assets Discovery agent installed, whereas CVE-2023-22524 could permit an attacker to achieve code execution by utilizing WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections.
The advisory comes nearly a month after the Australian software company revealed all versions of its Bamboo Data Center and Server products are impacted by an actively exploited critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). Fixes have been released in versions 9.2.7, 9.3.5, and 9.4.1 or later.
With Atlassian products becoming lucrative attack vectors in recent years, it’s highly recommended that users move quickly to update affected installations to a patched version.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.968 High
EPSS
Percentile
99.6%