Atlassian fixes security vulnerabilities in Bitbucket, Confluence and Jira
Bitbucket, Confluence and Jira have security vulnerabilities that could lead to information leakage or denial of service.
Atlassian has published the security bulletin for October. In it, the company describes six security vulnerabilities in Bitbucket, Confluence and Jira. Updated software is available to patch the vulnerabilities.
In the security advisory, Atlassian's developers explain that the bundled Java Runtime Environment (JRE) in Bitbucket Data Center and Server, for example, allows unauthenticated attackers to read, delete, write or modify data without authorization (CVE-2024-21147, CVSS 7.4, risk"high"). Bitbucket Datacenter 9.2.1 and 8.19.19 (LTS) correct the errors, as do Bitbucket Data Center and Server 8.9.20 (LTS) – and of course newer versions.
Atlassian: Further vulnerabilities
In Confluence Data Center and Server, on the other hand, a stored cross-site scripting vulnerability (CVE-2024-4367, CVSS 8.1, high), a regular expression denial of service (ReDoS) vulnerability (CVE-2022-31129, CVSS 7.5, high), a directory traversal vulnerability (CVE-2022-24785, CVSS 7.5, high) and a denial-of-service vulnerability (CVE-2024-29131, CVSS 7.3, high) affect the security of the software. Confluence Data Center newer than 9.0.0 or from 8.9.3 to 8.9.7 and Confluence Data Center and Server 8.5.11 to 8.5.16 as well as 7.19.26 to 7.19.28 (LTS) and newer plug the security leaks.
In Jira Data Center and Server, however, attackers can trigger a stack-based buffer overflow from the network without prior authentication (CVE-2024-7254, CVSS 7.5, high). According to Atlassian's developers, this only affects service availability. It appears to be a DoS vulnerability; according to the description, it does not seem to allow the execution of injected code, which is often the case with buffer overflows. Jira Data Center 10.1.1 and 5.17.4 as well as Jira Data Center and Server 5.12.14 (LTS) correct the security-relevant error.
The updated software is available for download from the Atlassian download portal. IT managers should apply the updates quickly.
Atlassian's September update collection included patches for Bamboo, Bitbucket, Confluence and Crowd Data Center and Server. All vulnerabilities were classified as high risk by Atlassian's developers.
(dmk)