Atlassian fixes four critical RCE vulnerabilities, patch quickly!>
Help Net Security – Helga Labus
Atlassian has issued updates to rectify four critical security flaws across its products, which pose a risk of arbitrary code execution.
These are the vulnerabilities along with their effects:
– **CVE-2022-1471**: This is a deserialization flaw within the SnakeYAML library used in Java, which could lead to an attacker executing remote code.
The vulnerability impacts multiple Atlassian applications, including various Jira and Confluence editions (Server, Data Center, and Cloud) as well as Bitbucket and the Automation for Jira app.
– **CVE-2023-22522**: This remote code execution vulnerability specifically affects Confluence Data Center and Server.
– **CVE-2023-22524**: Like CVE-2023-22522, this RCE vulnerability impacts Confluence Data Center, Server, and Cloud versions.
– **CVE-2023-22523**: This flaw affects Jira Service Management across its Cloud, Data Center, and Server iterations and also permits RCE.
Atlassian has not disclosed whether there has been any exploitation of these vulnerabilities in the wild but is urging users to update to the latest versions offering fixes.
For those unable to update immediately, temporary measures are provided to mitigate the risks associated with CVE-2023-22522, CVE-2023-22524, and CVE-2023-22523.
In addition to these, Atlassian has recently addressed two other vulnerabilities in Confluence Data Center and Server that were actively exploited: CVE-2023-22515, relating to broken access control, and CVE-2023-22518, which could allow an attacker to reset databases and create administrative accounts in Confluence instances.
Link: https://www.helpnetsecurity.com/2023/12/06/atlassian-critical-vulnerabilities/