Security vulnerabilities: Atlassian patches Bamboo, Confluence, Jira and Co.
Atlassian has released updates for numerous products. They close security gaps in Bambo, Confluence and Jira, for example, which are considered high risk.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Atlassian has provided several products with updates this week. These fix security vulnerabilities that the company classifies as high risk.
In total, Atlassian is patching nine high-risk vulnerabilities. The most serious vulnerabilities affect Crowd Data Center and Server; these are Server Side Request Forgery vulnerabilities (CVE-2024-22243, CVE-2024-22259, CVE-2024-22262; all CVSS 8.1, risk"high"). The versions 5.1.11, 5.2.6 and 5.2.7, 5.3.3 of Crowd as well as 6.0.0 and 6.0.1 of Crowd Data Center only plug the leaks.
Other affected products
In Bamboo Data Center and Server, attackers can inject code (CVE-2024-21689, CVSS 7.6, high) or provoke a denial of service condition (CVE-2024-29857, CVSS 7.5, high). Bamboo 9.2.17 (LTS) and 9.6.5 (LTS) of the Data Center only correct the security-relevant errors.
Confluence Data Center and Server, however, are affected by a denial of service vulnerability (CVE-2024-34750, CVSS 7.5, high). Attackers can also maliciously abuse a Reflected Cross-Site Scripting and Cross-Site Request Forgery (CVE-2024-21690, CVSS 7.1, high). Versions 7.19.26 (LTS), 8.5.14 (LTS) and 8.9.5 of Confluence fix the bugs, as well as versions 9.0.1 and 9.0.2 of the Data Center.
There is also a denial of service vulnerability in Jira Data Center and Server (CVE-2024-34750, CVSS 7.5, high), which will be closed in versions 9.4.25 (LTS), 9.12.12 (LTS) and in Data Center 9.17.1 and 9.17.2. In addition, attackers can abuse a denial-of-service vulnerability in the Jira Service Management Data Center and Server for malicious purposes (CVE-2024-34750, CVSS 7.5, high). The update to versions 5.4.25 (LTS), 5.12.12 (LTS) and Data Center 5.17.1 or 5.17.2 protects against this.
According to Atlassian's security announcement, the updated packages are available for download from the software download portal.
Atlassian last closed a security vulnerability in Bamboo Data Center and Server in mid-July, which allowed attackers to execute files and compromise the integrity of the software development environment.
(dmk)