Skip to content

Atlassian patches 9 high-severity vulnerabilities in Confluence, Crucible, and Jira

  • by
  • 2 min read

Software giant Atlassian has issued security patches for nine high-severity vulnerabilities in Confluence, Crucible, and Jira — three of the company’s most popular software offerings. All vulnerabilities were discovered via the company’s bug bounty program, pen-testing processes, and third-party library scans before being reported earlier this year.

Atlassian’s patch notes don’t mention active exploitation of these vulnerabilities in the wild. For now, Atlassian recommends users update their software to the latest version available and patch security issues before any exploitation cases start to appear.

Jira Data Center and Server and Jira Service Management Data Center and Server received updates for CVE-2024-21685. This high-severity bug allows unauthenticated attackers to view sensitive information via an information disclosure vulnerability. The issue has been resolved in Jira Data Center and Server versions 9.16.0, 9.16.1, 9.12.8, 9.12.10 (LTS), 9.4.21, and 9.4.23 (LTS), and Jira Service Management Data Center and Server versions 5.16.0, 5.16.1, 5.12.8, 5.12.10 (LTS), 5.4.21, and 5.4.23 (LTS).

The Confluence Data Center and Server update notes mention six vulnerabilities in various dependencies the program uses. The most severe of these flaws tracked as CVE-2024-22257, is an access control problem in the Spring framework that allows unauthenticated users to access hidden assets. Three more bugs in the Spring framework, tracked as CVE-2024-22243, CVE-2024-22262, and CVE-2024-22259, are server-side request forgery vulnerabilities in the framework’s URL parsing functionality.

Two out-of-bounds write bugs in the Apache Commons Configuration were also patched. These bugs could allow attackers to carry out DoS (Denial-of-Service) attacks by submitting a maliciously crafted file or input. All aforementioned vulnerabilities have been patched in Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS).

Moving on, Crucible Data Center and Server were affected by a deserialisation of untrusted data vulnerability arising from the com.google.code. son:gson package. The vulnerability works in a similar manner to the two out-of-bounds write bugs mentioned above and, if exploited, can cause a DoS condition. The issue impacts Crucible Data Center and Server version 4.8.0 and below.

In the News:China-supported cyber scam operations in Myanmar dismantled

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>