🛡 [email protected]/:~# Jun 20, 2024

Security Bulletin: Atlassian June 2024

Date: June 18, 2024
CVE: CVE-2024-22257
Vulnerability Type: Improper Authorization
CWE: [[CWE-284]], [[CWE-918]], [[CWE-400]]
Sources: Atlassian Documentation, NVD

Synopsis

Atlassian has released a security bulletin addressing multiple high-severity vulnerabilities in its products. These vulnerabilities, discovered through the company's Bug Bounty program and third-party scans, have been fixed in recent versions.

Issue Summary

Nine high-severity vulnerabilities affecting various Atlassian products were disclosed. These vulnerabilities include issues such as improper authorization and server-side request forgery (SSRF) in dependencies like org.springframework.security:spring-security-core and org.springframework:spring-web. Confluence, Jira, and Fisheye/Crucible are among the affected products.

Technical Key Findings

The vulnerabilities primarily involve improper authorization and SSRF, which allow attackers to exploit insufficient validation of user inputs. For instance, CVE-2024-22257 involves improper authorization due to flaws in the org.springframework.security:spring-security-core dependency, potentially leading to unauthorized access.

Vulnerable Products

  • Confluence Data Center and Server: Versions 8.9.0 to 8.9.2, 8.8.0 to 8.8.1, 8.7.1 to 8.7.2, among others.
  • Fisheye/Crucible: Versions 4.8.10 to 4.8.14.
  • Jira Data Center and Server: Versions 9.12.0 to 9.12.7 (LTS), 9.4.0 to 9.4.20 (LTS).
  • Jira Service Management: Versions 5.15.2, 5.12.0 to 5.12.7 (LTS).

Impact Assessment

Exploiting these vulnerabilities could lead to unauthorized access, denial of service (DoS), or information disclosure, significantly impacting the confidentiality, integrity, and availability of the affected systems.

Patches or Workaround

Patches have been released for the affected products. Users are advised to update to the latest versions or apply the recommended fixed versions listed in the bulletin. No temporary mitigations are provided; hence, immediate patching is crucial.

Tags

#Atlassian #CVE-2024-22257 #ImproperAuthorization #SSRF #DoS #Confluence #Jira #SecurityBulletin #Vulnerability

Security Bulletin - June 18 2024 | Atlassian Support | Atlassian Documentation