Software vendor Atlassian on Tuesday released security-themed updates to fix several high-severity vulnerabilities in its Bamboo, Confluence and Jira products.
The Australian firm called urgent attention to the Bamboo Data Center and Server updates that resolve two high-severity bugs, including one affecting the UriComponentsBuilder dependency that could allow an unauthenticated attacker to perform a server-side request forgery (SSRF) attack.
Tracked as CVE-2024-22262, the bug affects Bamboo Data Center and Bamboo Server versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0, and was addressed in version 9.6.3 LTS and 9.2.14 LTS.
The second issue, tracked as CVE-2024-21687, is a file inclusion flaw that allows an attacker “to get the application to display the contents of a local file, or execute a different file already stored locally on the server,” Atlassian said.
Affecting versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server, the issue requires authentication for successful exploitation and was addressed in Bamboo Data Center and Server versions 9.6.4 LTS and 9.2.16 LTS.
The company also rolled out patches for seven high-severity vulnerabilities in Confluence Data Center and Confluence Server, five of which are denial-of-service flaws in the Apache Commons Compress dependency.
“The vulnerable version of this library exists in Confluence but is not being utilized. Because of this our products are not inherently vulnerable and at risk. Upgrading will move to a newer version of the library – but any future upgrades will do the same,” Atlassian notes.
The bugs were resolved in Confluence Data Center versions 8.9.4, 8.5.12 LTS, and 7.19.25 LTS, and in Confluence Server versions 8.5.12 LTS and 7.19.25 LTS.
The updates also address over a dozen CVEs tied to the bundled JDK, but not affecting the .zip/.tar.gz distribution. The third-party dependency weakness was introduced in versions 7.0.1 of Confluence Data Center and Server.
Additionally, Atlassian released fixes for a stored cross-site scripting (XSS) issue that could allow an authenticated attacker to execute arbitrary HTML or JavaScript code in a victim’s browser.
Jira Software Data Center and Server and Jira Service Management Data Center and Server were updated to resolve a high-severity vulnerability in the XStream dependency that could be exploited to cause a denial-of-service condition.
Patches for the bug, which is tracked as CVE-2022-41966, were included in Jira Software Data Center and Server versions 9.8.0, 9.12.0 LTS, and 9.4.18 LTS, and in Jira Service Management Data Center and Server versions 5.8.0, 5.12.0 LTS, and 5.4.18 LTS.
Atlassian makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to apply the patches as soon as possible.
Related: Atlassian Patches High-Severity Vulnerabilities in Confluence, Crucible, Jira
Related: Critical Apache OFBiz Vulnerability in Attacker Crosshairs
Related: 3CX Urges Customers to Disable Integration Due to Potential Vulnerability
