Atlassian Releases Patches for Critical Vulnerabilities in Server and Data Center Products

• Atlassian has patched high-severity vulnerabilities in its Confluence, Jira, and Bamboo products.
• Atlassian quickly released patches for impacted versions (9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0) to address the flaws.
• CVE-2024-21687, the most severe flaw, is a file inclusion vulnerability with a CVSS score of 8.1.

Leading software vendor Atlassian has released security updates to patch several high-severity vulnerabilities in its Confluence, Jira, Bitbucket, and Bamboo products. These flaws could enable malicious actors to run arbitrary code on targeted systems. The bugs patched in this update include CVE-2024-21687 (File Inclusion Vulnerability), CVE-2024-22262 (SSRF Vulnerability), CVE-2024-21686 (Stored XSS Vulnerability), CVE-2021-36090 (Denial of Service), CVE-2024-21688 (Dependency vulnerability), and CVE-2022-41966 (Denial of Service).

These flaws were discovered via third-party library scans, Atlassian’s Bug Bounty program, and penetration testing processes. They affect 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 product versions. The most severe of these vulnerabilities is CVE-2024-21687, which has a CVSS score of 8.1 out of 10. These vulnerabilities could lead to data theft, unauthorized access, and compromised networks.

The updates also patched over a dozen vulnerabilities associated with the bundled Java Development Kit, which don’t affect the .zip/.tar.gz distribution. These vulnerabilities were introduced in the 7.0.1 versions of the Confluence Data Center and Server. Other fixes include a patch for a stored cross-site scripting (XSS) problem that allowed the execution of arbitrary code in browsers.

See More: Russian Antivirus Provider Kaspersky Lab Pulls Out of the US Market

Mitigation Measures

Atlassian recommends that users upgrade their installations to the latest versions. Users are also encouraged to check the Vulnerability Disclosure Portal to verify whether the new vulnerabilities affect their product versions. While there has been no disclosure of these flaws being exploited in the wild, users are urged to apply the patched updates as soon as possible.

Users should also review and ensure that instances are correctly configured, per Atlassian’s security best practices. For systems that cannot be updated immediately, users should consider workarounds while maintaining increased vigilance for suspicious activity around Atlassian products.

LATEST NEWS STORIES

• CDK Global Outage Ended After Reportedly Paying $25 Million Ransom
• Cloud Security Alliance Updates Its Cloud Security Training WIth CCSK v5 Release
• Apple Releases Public Betas for iOS 18, iPadOS 18, and watchOS 11; Holds off Releasing Apple Intelligence
• Over 50% of Employees Fear Reporting Cybersecurity Mistakes Finds ThinkCyber Study