Australian software company Atlassian addressed multiple high-severity vulnerabilities in its Confluence, Crucible, and Jira solutions.
Atlassian June 2024 Security Bulletin addressed nine high-severity vulnerabilities in Confluence, Crucible, and Jira products.
The most severe issue addressed by the company is an improper authorization org.springframework.security:spring-security-core dependency in Confluence Data Center and Server. The flaw tracked as CVE-2024-22257 received a CVSS score of 8.2.
The Confluence Data Center and Server update resolved other five SSRF (Server-Side Request Forgery) and DoS vulnerabilities. Below is the list of the addressed flaws:
Released Security Vulnerabilities | ||||||
---|---|---|---|---|---|---|
Product & Release Notes | Affected Versions | Fixed Version | Vulnerability Summary | CVE ID | CVSS Severity | |
Confluence Data Center and Server | 8.9.0 to 8.9.28.8.0 to 8.8.18.7.1 to 8.7.28.6.0 to 8.6.28.5.0 to 8.5.10 (LTS)8.4.0 to 8.4.58.3.0 to 8.3.48.2.0 to 8.2.38.1.0 to 8.1.48.0.0 to 8.0.47.20.0 to 7.20.37.19.0 to 7.19.23 (LTS) | 8.9.3 Data Center Only8.5.11 (LTS) recommended7.19.24 (LTS) | Improper Authorization org.springframework.security:spring-security-core Dependency in Confluence Data Center and Server | CVE-2024-22257 | 8.2 High | |
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server | CVE-2024-22243 | 8.1 High | ||||
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server | CVE-2024-22262 | 8.1 High | ||||
SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server | CVE-2024-22259 | 8.1 High | ||||
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server | CVE-2024-29133 | 7.5 High | ||||
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server | CVE-2024-29131 | 7.5 High | ||||
Confluence Data Center and Server versions 8.9.3, 8.5.11 (LTS), and 7.19.24 (LTS) addressed these vulnerabilities.
Atlassian also fixed a DoS vulnerability, tracked as CVE-2022-25647, in the Fisheye/Crucible with the release of version 4.8.15.
The software firm also fixed the following vulnerabilities in the Jira Data Center and Server:
Jira Data Center and Server | 9.12.0 to 9.12.7 (LTS)9.4.0 to 9.4.20 (LTS) | 9.16.0 to 9.16.1 Data Center Only9.12.8 to 9.12.10 (LTS) recommended9.4.21 to 9.4.23 (LTS) | Information Disclosure in Jira Core Data Center | CVE-2024-21685 | 7.4 High |
Jira Service Management Data Center and Server | 5.15.25.12.0 to 5.12.7 (LTS)5.4.0 to 5.4.20 (LTS) | 5.16.0 to 5.16.1 Data Center Only5.12.8 to 5.12.10 (LTS) recommended5.4.21 to 5.4.23 (LTS) | Information Disclosure in Jira Service Management Data Center and Server | CVE-2024-21685 | 7.4 High |
The company is not aware of attacks in the wild exploiting the vulnerabilities fixed in the June 2024 Security Bulletin.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, China)