Atlassian released patches for four critical vulnerabilities that allow an attacker to execute Remote Code Execution (RCE) attacks on Confluence Data Center, Jira Core Data Center, Jira Software Server and several other products.
In RCE attacks, the system’s location doesn’t matter; hackers can control it remotely and execute malicious commands.
Here is a list of vulnerabilities:
CVE-2022-1471
This vulnerability affects the products based on the SnakeYAML library. However, Atlassian cloud sites are unaffected.
Atlassian assigns this vulnerability as critical with a 9.8 score.
The vulnerability affects the following products:
- Automation for the Jira app (including Server Lite edition)
- Bitbucket Data Center
- Bitbucket Server
- Confluence Data Center
- Confluence Server
- Confluence Cloud Migration App
- Jira Core Data Center
- Jira Core Server
- Jira Service Management Data Center
- Jira Service Management Server
- Jira Software Data Center
- Jira Software Server
CVE-2023-22522
The CVE-2023-22522 (with a severity of 9.0) affects the Confluence Data Center and Server and is a Template Injection flaw.
It allows both authenticated attackers and those with anonymous access to inject potentially harmful user input into Confluence pages. Exploiting this vulnerability allows attackers to execute code remotely on the affected instance.
CVE-2023-22524
This critical vulnerability is rated 9.6 and affects the Atlassian Companion App for MacOS up to version 2.0.0.
CVE-2023-22524 opens the door for potential exploitation by allowing attackers to leverage WebSockets, bypassing Atlassian Companian’s blocklist. Subsequently, this could enable the execution of unauthorised code, posing a significant threat to the security of users’ devices.
CVE-2023-22523
The CVE-2023-22523 has been rated 9.8 by Atlassian, affecting Jira Service Management Cloud, Server, and Data Center products.
“This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent,” says Atlassian security advisory.
Atlassian recommends that all users update the software and products to fix these four flaws.
In the News: OpenAI restricts repeating words to counter divergence attack